From 6038525d4b2b44ed98136ae7c86e9d8802901261 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 9 Jan 2020 18:07:33 +0100 Subject: [PATCH 001/156] Merge wazuh container from 3.10-refactor --- wazuh/Dockerfile | 85 ++++++++----------- wazuh/config/01-config_filebeat.sh | 19 ----- wazuh/config/entrypoint.sh | 14 --- .../cont-init.d/0-wazuh-init} | 43 ++-------- .../config/etc/cont-init.d/1-config-filebeat | 31 +++++++ wazuh/config/etc/cont-init.d/2-manager | 3 + wazuh/config/etc/services.d/api/finish | 6 ++ wazuh/config/etc/services.d/api/run | 4 + wazuh/config/etc/services.d/filebeat/finish | 6 ++ wazuh/config/etc/services.d/filebeat/run | 4 + wazuh/config/filebeat.runit.service | 4 - wazuh/config/filebeat.yml | 15 ---- wazuh/config/postfix.runit.service | 4 - wazuh/config/wazuh-api.runit.service | 5 -- wazuh/config/wazuh.repo | 7 ++ wazuh/config/wazuh.runit.service | 5 -- 16 files changed, 102 insertions(+), 153 deletions(-) delete mode 100644 wazuh/config/01-config_filebeat.sh delete mode 100644 wazuh/config/entrypoint.sh rename wazuh/config/{00-wazuh.sh => etc/cont-init.d/0-wazuh-init} (67%) create mode 100644 wazuh/config/etc/cont-init.d/1-config-filebeat create mode 100644 wazuh/config/etc/cont-init.d/2-manager create mode 100644 wazuh/config/etc/services.d/api/finish create mode 100644 wazuh/config/etc/services.d/api/run create mode 100644 wazuh/config/etc/services.d/filebeat/finish create mode 100644 wazuh/config/etc/services.d/filebeat/run delete mode 100644 wazuh/config/filebeat.runit.service delete mode 100644 wazuh/config/filebeat.yml delete mode 100644 wazuh/config/postfix.runit.service delete mode 100644 wazuh/config/wazuh-api.runit.service create mode 100644 wazuh/config/wazuh.repo delete mode 100644 wazuh/config/wazuh.runit.service diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index cc813988..f3d36e52 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,51 +1,54 @@ # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM phusion/baseimage:latest +FROM centos:7 -ARG FILEBEAT_VERSION=7.5.0 - -ARG WAZUH_VERSION=3.10.2-1 +ARG FILEBEAT_VERSION=7.5.1 +ARG WAZUH_VERSION=3.11.1-1 +ARG TEMPLATE_VERSION="v3.11.1" +ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" ENV API_USER="foo" \ API_PASS="bar" -ARG TEMPLATE_VERSION="v3.10.2" # Set repositories. -RUN set -x && echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \ - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \ - curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \ - echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \ - echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \ - groupadd -g 1000 ossec && useradd -u 1000 -g 1000 -d /var/ossec ossec +RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH -RUN add-apt-repository universe && apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \ - apt-get --no-install-recommends --no-install-suggests -y install openssl postfix bsd-mailx python-boto python-pip \ - apt-transport-https vim expect nodejs python-cryptography mailutils libsasl2-modules wazuh-manager=${WAZUH_VERSION} \ - wazuh-api=${WAZUH_VERSION} && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && rm -f \ - /var/ossec/logs/alerts/*/*/*.log && rm -f /var/ossec/logs/alerts/*/*/*.json && rm -f \ - /var/ossec/logs/archives/*/*/*.log && rm -f /var/ossec/logs/archives/*/*/*.json && rm -f \ - /var/ossec/logs/firewall/*/*/*.log && rm -f /var/ossec/logs/firewall/*/*/*.json +COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo + +RUN yum --enablerepo=updates clean metadata && \ + yum -y install openssl && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ + curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - && \ + yum -y install nodejs && yum -y install wazuh-api-${WAZUH_VERSION} && \ + sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ + yum clean all && rm -rf /var/cache/yum + +RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ + rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm + +RUN curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/filebeat/7.x/filebeat.yml &&\ + chmod go+r /etc/filebeat/filebeat.yml + +RUN curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/elasticsearch/7.x/wazuh-template.json &&\ + chmod go+r /etc/filebeat/wazuh-template.json + +RUN curl -s https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module + +ARG S6_VERSION="v1.22.1.0" +RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ + -o /tmp/s6-overlay-amd64.tar.gz && \ + tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ + tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \ + rm /tmp/s6-overlay-amd64.tar.gz # Adding first run script and entrypoint -COPY config/data_dirs.env /data_dirs.env -COPY config/init.bash /init.bash -RUN mkdir /entrypoint-scripts -COPY config/entrypoint.sh /entrypoint.sh -COPY config/00-wazuh.sh /entrypoint-scripts/00-wazuh.sh -COPY config/01-config_filebeat.sh /entrypoint-scripts/01-config_filebeat.sh +COPY config/data_dirs.env config/init.bash / # Sync calls are due to https://github.com/docker/docker/issues/9547 RUN chmod 755 /init.bash && \ sync && /init.bash && \ - sync && rm /init.bash && \ - curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\ - dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb && \ - chmod 755 /entrypoint.sh && \ - chmod 755 /entrypoint-scripts/00-wazuh.sh && \ - chmod 755 /entrypoint-scripts/01-config_filebeat.sh + sync && rm /init.bash -COPY config/filebeat.yml /etc/filebeat/ -RUN chmod go-w /etc/filebeat/filebeat.yml +COPY config/etc/ /etc/ # Setting volumes VOLUME ["/var/ossec/data"] @@ -56,25 +59,9 @@ VOLUME ["/var/lib/filebeat"] # Services ports EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp -# Adding services -RUN mkdir /etc/service/wazuh && \ - mkdir /etc/service/wazuh-api && \ - mkdir /etc/service/postfix && \ - mkdir /etc/service/filebeat - -COPY config/wazuh.runit.service /etc/service/wazuh/run -COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run -COPY config/postfix.runit.service /etc/service/postfix/run -COPY config/filebeat.runit.service /etc/service/filebeat/run - -RUN chmod +x /etc/service/wazuh-api/run && \ - chmod +x /etc/service/wazuh/run && \ - chmod +x /etc/service/postfix/run && \ - chmod +x /etc/service/filebeat/run - ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat RUN chmod go-w /etc/filebeat/wazuh-template.json # Run all services -ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["/entrypoint.sh"] diff --git a/wazuh/config/01-config_filebeat.sh b/wazuh/config/01-config_filebeat.sh deleted file mode 100644 index 818878c0..00000000 --- a/wazuh/config/01-config_filebeat.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -set -e - -WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz - -# Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set -if [ "$ELASTICSEARCH_URL" != "" ]; then - >&2 echo "Customize Elasticsearch ouput IP." - sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml -fi - -# Install Wazuh Filebeat Module - -curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module -mkdir -p /usr/share/filebeat/module/wazuh -chmod 755 -R /usr/share/filebeat/module/wazuh - diff --git a/wazuh/config/entrypoint.sh b/wazuh/config/entrypoint.sh deleted file mode 100644 index d8ae1163..00000000 --- a/wazuh/config/entrypoint.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -# It will run every .sh script located in entrypoint-scripts folder in lexicographical order -for script in `ls /entrypoint-scripts/*.sh | sort -n`; do - bash "$script" - -done - -############################################################################## -# Start Wazuh Server. -############################################################################## - -/sbin/my_init diff --git a/wazuh/config/00-wazuh.sh b/wazuh/config/etc/cont-init.d/0-wazuh-init similarity index 67% rename from wazuh/config/00-wazuh.sh rename to wazuh/config/etc/cont-init.d/0-wazuh-init index 9d5614f9..ae1b4a89 100644 --- a/wazuh/config/00-wazuh.sh +++ b/wazuh/config/etc/cont-init.d/0-wazuh-init @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/with-contenv bash # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) # Wazuh container bootstrap. See the README for information of the environment @@ -7,7 +7,7 @@ # Startup the services source /data_dirs.env -FIRST_TIME_INSTALLATION=false +FIRST_TIME_INSTALLATION=true WAZUH_INSTALL_PATH=/var/ossec DATA_PATH=${WAZUH_INSTALL_PATH}/data @@ -59,30 +59,6 @@ chmod g+rw ${DATA_PATH}/process_list AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} -if [ $FIRST_TIME_INSTALLATION == true ] -then - if [ $AUTO_ENROLLMENT_ENABLED == true ] - then - if [ ! -e ${DATA_PATH}/etc/sslmanager.key ] - then - print "Creating ossec-authd key and cert" - exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096" - exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/" - fi - fi - if [ $API_GENERATE_CERTS == true ] - then - if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ] - then - print "Enabling Wazuh API HTTPS" - edit_configuration "https" "yes" - print "Create Wazuh API key and cert" - exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096" - exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/" - fi - fi -fi - ############################################################################## # Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect # destination files permissions @@ -104,17 +80,6 @@ function ossec_shutdown(){ ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; } -############################################################################## -# Allow users to set the container hostname as dynamically on -# container start. -# -# To use this: -# 1. Create your own ossec.conf file -# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name -# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf -############################################################################## -sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf - # Trap exit signals and do a proper shutdown trap "ossec_shutdown; exit" SIGINT SIGTERM @@ -139,8 +104,10 @@ done pushd /var/ossec/api/configuration/auth/ +env + echo "Change Wazuh API user credentials" change_user="node htpasswd -b -c user $API_USER $API_PASS" eval $change_user -popd \ No newline at end of file +popd diff --git a/wazuh/config/etc/cont-init.d/1-config-filebeat b/wazuh/config/etc/cont-init.d/1-config-filebeat new file mode 100644 index 00000000..f968f638 --- /dev/null +++ b/wazuh/config/etc/cont-init.d/1-config-filebeat @@ -0,0 +1,31 @@ +#!/usr/bin/with-contenv bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + +WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz + +if [ "$ELASTICSEARCH_URL" != "" ]; then + >&2 echo "Customize Elasticsearch ouput IP" + sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml +fi + +# Configure filebeat.yml security settings + +if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then + >&2 echo "Configuring Certificate Authorities." + sed -i 's|#ssl.certificate_authorities:|'ssl.certificate_authorities:\ [\"$SSL_CERTIFICATE_AUTHORITIES\"]'|g' /etc/filebeat/filebeat.yml +fi + +if [ "$USERNAME" != "" ]; then + >&2 echo "Configuring username." + sed -i 's|#username:|'username:\ \"$USERNAME\"'|g' /etc/filebeat/filebeat.yml +fi + +if [ "$PASSWORD" != "" ]; then + >&2 echo "Configuring password." + sed -i 's|#password:|'password:\ \"$PASSWORD\"'|g' /etc/filebeat/filebeat.yml +fi + +chmod go-w /etc/filebeat/filebeat.yml || true +chown root: /etc/filebeat/filebeat.yml || true diff --git a/wazuh/config/etc/cont-init.d/2-manager b/wazuh/config/etc/cont-init.d/2-manager new file mode 100644 index 00000000..e548e8b1 --- /dev/null +++ b/wazuh/config/etc/cont-init.d/2-manager @@ -0,0 +1,3 @@ +#!/usr/bin/with-contenv bash + +/var/ossec/bin/ossec-control start diff --git a/wazuh/config/etc/services.d/api/finish b/wazuh/config/etc/services.d/api/finish new file mode 100644 index 00000000..38d744d1 --- /dev/null +++ b/wazuh/config/etc/services.d/api/finish @@ -0,0 +1,6 @@ +#!/usr/bin/env sh +echo >&2 "API exited. code=${1}" + +# terminate other services to exit from the container +exec s6-svscanctl -t /var/run/s6/services + diff --git a/wazuh/config/etc/services.d/api/run b/wazuh/config/etc/services.d/api/run new file mode 100644 index 00000000..e6e3e831 --- /dev/null +++ b/wazuh/config/etc/services.d/api/run @@ -0,0 +1,4 @@ +#!/usr/bin/with-contenv sh +echo >&2 "starting API" + +exec /bin/node /var/ossec/api/app.js diff --git a/wazuh/config/etc/services.d/filebeat/finish b/wazuh/config/etc/services.d/filebeat/finish new file mode 100644 index 00000000..8813eb67 --- /dev/null +++ b/wazuh/config/etc/services.d/filebeat/finish @@ -0,0 +1,6 @@ +#!/usr/bin/env sh +echo >&2 "Filebeat exited. code=${1}" + +# terminate other services to exit from the container +exec s6-svscanctl -t /var/run/s6/services + diff --git a/wazuh/config/etc/services.d/filebeat/run b/wazuh/config/etc/services.d/filebeat/run new file mode 100644 index 00000000..706ee5af --- /dev/null +++ b/wazuh/config/etc/services.d/filebeat/run @@ -0,0 +1,4 @@ +#!/usr/bin/with-contenv sh +echo >&2 "starting Filebeat" + +exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat diff --git a/wazuh/config/filebeat.runit.service b/wazuh/config/filebeat.runit.service deleted file mode 100644 index 9b048caa..00000000 --- a/wazuh/config/filebeat.runit.service +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -service filebeat start -tail -f /var/log/filebeat/filebeat diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml deleted file mode 100644 index 46600662..00000000 --- a/wazuh/config/filebeat.yml +++ /dev/null @@ -1,15 +0,0 @@ -# Wazuh - Filebeat configuration file -filebeat.modules: - - module: wazuh - alerts: - enabled: true - archives: - enabled: false - -setup.template.json.enabled: true -setup.template.json.path: '/etc/filebeat/wazuh-template.json' -setup.template.json.name: 'wazuh' -setup.template.overwrite: true -setup.ilm.enabled: false - -output.elasticsearch.hosts: ['http://elasticsearch:9200'] \ No newline at end of file diff --git a/wazuh/config/postfix.runit.service b/wazuh/config/postfix.runit.service deleted file mode 100644 index e900b5e5..00000000 --- a/wazuh/config/postfix.runit.service +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -service postfix start -tail -f /var/log/mail.log diff --git a/wazuh/config/wazuh-api.runit.service b/wazuh/config/wazuh-api.runit.service deleted file mode 100644 index 198fa4a1..00000000 --- a/wazuh/config/wazuh-api.runit.service +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -service wazuh-api start -tail -f /var/ossec/data/logs/api.log - diff --git a/wazuh/config/wazuh.repo b/wazuh/config/wazuh.repo new file mode 100644 index 00000000..ae462c62 --- /dev/null +++ b/wazuh/config/wazuh.repo @@ -0,0 +1,7 @@ +[wazuh_repo] +gpgcheck=1 +gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://packages.wazuh.com/3.x/yum/ +protect=1 diff --git a/wazuh/config/wazuh.runit.service b/wazuh/config/wazuh.runit.service deleted file mode 100644 index 7ab6f1e1..00000000 --- a/wazuh/config/wazuh.runit.service +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -service wazuh-manager start -tail -f /var/ossec/data/logs/ossec.log - From 53f905937e34899245aa17551ffe2a13d99f50c7 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 9 Jan 2020 18:10:49 +0100 Subject: [PATCH 002/156] Move apt-get clean into same layer as apt-get install --- nginx/Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 2ca20d6f..f348cb19 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -3,14 +3,13 @@ FROM nginx:latest ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update && apt-get install -y openssl apache2-utils +RUN apt-get update && apt-get install -y openssl apache2-utils && \ + apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* COPY config/entrypoint.sh /entrypoint.sh RUN chmod 755 /entrypoint.sh -RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* - VOLUME ["/etc/nginx/conf.d"] ENV NGINX_NAME="foo" \ From 5001a7d220a1e0b06e97fd3db99964a8cf4dff9a Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 9 Jan 2020 18:18:00 +0100 Subject: [PATCH 003/156] Set docker-compose to build from sources --- docker-compose.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c80df55e..65421280 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ version: '2' services: wazuh: - image: wazuh/wazuh:3.10.2_7.5.0 + build: wazuh hostname: wazuh-manager restart: always ports: @@ -11,9 +11,8 @@ services: - "1515:1515" - "514:514/udp" - "55000:55000" - elasticsearch: - image: wazuh/wazuh-elasticsearch:3.10.2_7.5.0 + build: elasticsearch hostname: elasticsearch restart: always ports: @@ -28,9 +27,8 @@ services: soft: -1 hard: -1 mem_limit: 2g - kibana: - image: wazuh/wazuh-kibana:3.10.2_7.5.0 + build: kibana hostname: kibana restart: always depends_on: @@ -39,7 +37,7 @@ services: - elasticsearch:elasticsearch - wazuh:wazuh nginx: - image: wazuh/wazuh-nginx:3.10.2_7.5.0 + build: nginx hostname: nginx restart: always environment: From bfba87a4b07795a879ad3d6c5048353f5bed73c4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 9 Jan 2020 18:18:28 +0100 Subject: [PATCH 004/156] Bump elasticsearch version --- elasticsearch/Dockerfile | 4 ++-- elasticsearch/config/config_cluster.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index 25633294..66a00475 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -1,5 +1,5 @@ # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -ARG ELASTIC_VERSION=7.5.0 +ARG ELASTIC_VERSION=7.5.1 FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip" @@ -15,7 +15,7 @@ ENV XPACK_ML="true" ENV ENABLE_CONFIGURE_S3="false" -ARG TEMPLATE_VERSION=v3.10.2 +ARG TEMPLATE_VERSION=v3.11.1 # Elasticearch cluster configuration environment variables # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration diff --git a/elasticsearch/config/config_cluster.sh b/elasticsearch/config/config_cluster.sh index d1d0e532..31b563bf 100644 --- a/elasticsearch/config/config_cluster.sh +++ b/elasticsearch/config/config_cluster.sh @@ -13,7 +13,7 @@ remove_cluster_config(){ sed -i '/# cluster node/,/# end cluster config/d' $1 } -# If Elasticsearch cluster is enable, then set up the elasticsearch.yml +# If Elasticsearch cluster is enabled, then set up the elasticsearch.yml if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then # Remove the old configuration remove_single_node_conf $elastic_config_file @@ -54,4 +54,4 @@ else remove_single_node_conf $elastic_config_file remove_cluster_config $elastic_config_file echo "discovery.type: single-node" >> $elastic_config_file -fi \ No newline at end of file +fi From 9d23180b6a5676fab66fc6110f932534eaeec25c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 9 Jan 2020 18:19:16 +0100 Subject: [PATCH 005/156] Bump kibana version --- kibana/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kibana/Dockerfile b/kibana/Dockerfile index d7f64b61..79715c91 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,8 +1,8 @@ # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:7.5.0 +FROM docker.elastic.co/kibana/kibana:7.5.1 USER kibana -ARG ELASTIC_VERSION=7.5.0 -ARG WAZUH_VERSION=3.10.2 +ARG ELASTIC_VERSION=7.5.1 +ARG WAZUH_VERSION=3.11.1 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" #ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /usr/share/kibana/ From 3e6d311721e901c5b4a51d145190c4fdaf37d7ef Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 9 Jan 2020 18:26:28 +0100 Subject: [PATCH 006/156] Fix entrypoint --- wazuh/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index f3d36e52..af3884b6 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -63,5 +63,4 @@ EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat RUN chmod go-w /etc/filebeat/wazuh-template.json -# Run all services -ENTRYPOINT ["/entrypoint.sh"] +ENTRYPOINT [ "/init" ] From 72d74ad013ed49030c6b4013510c0b66cfffe94c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 9 Jan 2020 18:34:38 +0100 Subject: [PATCH 007/156] Update VERSION --- VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index e7de9ceb..a6dcc8c8 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="3.10.2_7.5.0" -REVISION="31030" \ No newline at end of file +WAZUH-DOCKER_VERSION="3.11.1_7.5.1" +REVISION="31110" From 3318f4d7f6627e938bc409d16007b5d072b63ad1 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Fri, 10 Jan 2020 09:42:53 +0100 Subject: [PATCH 008/156] Update directory structure --- README.md | 71 ++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 0dffdeeb..6d7a8096 100644 --- a/README.md +++ b/README.md @@ -24,33 +24,50 @@ In addition, a docker-compose file is provided to launch the containers mentione ## Directory structure - wazuh-docker - ├── docker-compose.yml - ├── kibana - │   ├── config - │   │   ├── entrypoint.sh - │   │   └── kibana.yml - │   └── Dockerfile - ├── LICENSE - ├── nginx - │   ├── config - │   │   └── entrypoint.sh - │   └── Dockerfile - ├── README.md - ├── CHANGELOG.md - ├── VERSION - ├── test.txt - └── wazuh - ├── config - │   ├── data_dirs.env - │   ├── entrypoint.sh - │   ├── filebeat.runit.service - │   ├── filebeat.yml - │   ├── init.bash - │   ├── postfix.runit.service - │   ├── wazuh-api.runit.service - │   └── wazuh.runit.service - └── Dockerfile + wazuh-docker + ├── CHANGELOG.md + ├── docker-compose.yml + ├── elasticsearch + │   ├── config + │   │   ├── config_cluster.sh + │   │   ├── configure_s3.sh + │   │   ├── entrypoint.sh + │   │   └── load_settings.sh + │   └── Dockerfile + ├── kibana + │   ├── config + │   │   ├── entrypoint.sh + │   │   ├── kibana_settings.sh + │   │   ├── wazuh_app_config.sh + │   │   ├── welcome_wazuh.sh + │   │   └── xpack_config.sh + │   └── Dockerfile + ├── LICENSE + ├── nginx + │   ├── config + │   │   └── entrypoint.sh + │   └── Dockerfile + ├── README.md + ├── VERSION + └── wazuh + ├── config + │   ├── data_dirs.env + │   ├── etc + │   │   ├── cont-init.d + │   │   │   ├── 0-wazuh-init + │   │   │   ├── 1-config-filebeat + │   │   │   └── 2-manager + │   │   └── services.d + │   │   ├── api + │   │   │   ├── finish + │   │   │   └── run + │   │   └── filebeat + │   │   ├── finish + │   │   └── run + │   ├── init.bash + │   └── wazuh.repo + └── Dockerfile + ## Branches From 88b1ace9bdaf443ea1d64c1aff2afd59d5697ec7 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Mon, 13 Jan 2020 10:38:24 +0100 Subject: [PATCH 009/156] Remove postfix volume --- wazuh/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index af3884b6..948e70c3 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -53,7 +53,6 @@ COPY config/etc/ /etc/ # Setting volumes VOLUME ["/var/ossec/data"] VOLUME ["/etc/filebeat"] -VOLUME ["/etc/postfix"] VOLUME ["/var/lib/filebeat"] # Services ports From 31ba5923fbc66ed084ab3193a81342cd010934ac Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Mon, 13 Jan 2020 10:40:03 +0100 Subject: [PATCH 010/156] Fix filebeat config --- wazuh/Dockerfile | 7 ++++--- wazuh/config/filebeat.yml | 21 +++++++++++++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 wazuh/config/filebeat.yml diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 948e70c3..ad50c160 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -25,9 +25,6 @@ RUN yum --enablerepo=updates clean metadata && \ RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm -RUN curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/filebeat/7.x/filebeat.yml &&\ - chmod go+r /etc/filebeat/filebeat.yml - RUN curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/elasticsearch/7.x/wazuh-template.json &&\ chmod go+r /etc/filebeat/wazuh-template.json @@ -48,6 +45,10 @@ RUN chmod 755 /init.bash && \ sync && /init.bash && \ sync && rm /init.bash +COPY config/filebeat.yml /etc/filebeat/ + +RUN chmod go-w /etc/filebeat/filebeat.yml + COPY config/etc/ /etc/ # Setting volumes diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml new file mode 100644 index 00000000..0d04bac8 --- /dev/null +++ b/wazuh/config/filebeat.yml @@ -0,0 +1,21 @@ + +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false + +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.template.overwrite: true +setup.ilm.enabled: false +output.elasticsearch: + hosts: ['http://elasticsearch:9200'] + #ssl.certificate_authorities: + #ssl.certificate: + #ssl.key: + #username: + #password: From e1d3458846168ccd65e192d3855c30832334d201 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Mon, 13 Jan 2020 14:32:57 +0100 Subject: [PATCH 011/156] Add new behavior new app config behavior (since 3.11) --- kibana/config/wazuh_app_config.sh | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh index 5f238325..be224913 100644 --- a/kibana/config/wazuh_app_config.sh +++ b/kibana/config/wazuh_app_config.sh @@ -1,7 +1,12 @@ #!/bin/bash # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml" +wazuh_url="${WAZUH_API_URL:-http://wazuh}" +wazuh_port="${API_PORT:-55000}" +api_user="${API_USER:-foo}" +api_password="${API_PASS:-bar}" + +kibana_config_file="/usr/share/kibana/plugins/wazuh/wazuh.yml" declare -A CONFIG_MAP=( [pattern]=$PATTERN @@ -38,3 +43,23 @@ do sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file fi done + +# remove default API entry (new in 3.11.0_7.5.1) +sed -ie '/- default:/,+4d' $kibana_config_file + +CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) + +grep -q 1513629884013 $kibana_config_file +_config_exists=$? + +if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then +cat << EOF >> $kibana_config_file + - 1513629884013: + url: $wazuh_url + port: $wazuh_port + user: $api_user + password: $api_password +EOF +else + echo "Wazuh APP already configured" +fi From d903f01e177d263c8b6bf530519dd6ecc06e2207 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Mon, 13 Jan 2020 17:36:23 +0100 Subject: [PATCH 012/156] Disable old persistence method This is a temporary setting to achieve service stability, a new method for data persistence is on the works --- wazuh/Dockerfile | 10 ++-------- wazuh/config/etc/cont-init.d/0-wazuh-init | 11 ----------- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index ad50c160..04b05d90 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -37,20 +37,14 @@ RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releas tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \ rm /tmp/s6-overlay-amd64.tar.gz -# Adding first run script and entrypoint -COPY config/data_dirs.env config/init.bash / - -# Sync calls are due to https://github.com/docker/docker/issues/9547 -RUN chmod 755 /init.bash && \ - sync && /init.bash && \ - sync && rm /init.bash - COPY config/filebeat.yml /etc/filebeat/ RUN chmod go-w /etc/filebeat/filebeat.yml COPY config/etc/ /etc/ +COPY config/data_dirs.env / + # Setting volumes VOLUME ["/var/ossec/data"] VOLUME ["/etc/filebeat"] diff --git a/wazuh/config/etc/cont-init.d/0-wazuh-init b/wazuh/config/etc/cont-init.d/0-wazuh-init index ae1b4a89..10796414 100644 --- a/wazuh/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh/config/etc/cont-init.d/0-wazuh-init @@ -5,7 +5,6 @@ # variables expected by this script. # Startup the services -source /data_dirs.env FIRST_TIME_INSTALLATION=true @@ -36,16 +35,6 @@ edit_configuration() { # $1 -> setting, $2 -> value sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" } -for ossecdir in "${DATA_DIRS[@]}"; do - if [ ! -e "${DATA_PATH}/${ossecdir}" ] - then - print "Installing ${ossecdir}" - exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})" - exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}" - FIRST_TIME_INSTALLATION=true - fi -done - if [ -e ${WAZUH_INSTALL_PATH}/etc-template ] then cp -p /var/ossec/etc-template/internal_options.conf /var/ossec/etc/internal_options.conf From a41da9d6ea1ae74c826f7f180491f49c6b2ad678 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 16 Jan 2020 13:00:13 +0100 Subject: [PATCH 013/156] Switch to new persistence method --- wazuh/Dockerfile | 19 +- wazuh/config/etc/cont-init.d/0-wazuh-init | 233 ++++++++++++++++++---- wazuh/config/init.bash | 11 - wazuh/config/permanent_data.env | 61 ++++++ wazuh/config/permanent_data.sh | 40 ++++ 5 files changed, 302 insertions(+), 62 deletions(-) delete mode 100644 wazuh/config/init.bash create mode 100644 wazuh/config/permanent_data.env create mode 100644 wazuh/config/permanent_data.sh diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 04b05d90..92dad7c0 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -41,20 +41,19 @@ COPY config/filebeat.yml /etc/filebeat/ RUN chmod go-w /etc/filebeat/filebeat.yml +ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat +RUN chmod go-w /etc/filebeat/wazuh-template.json + COPY config/etc/ /etc/ -COPY config/data_dirs.env / - -# Setting volumes -VOLUME ["/var/ossec/data"] -VOLUME ["/etc/filebeat"] -VOLUME ["/var/lib/filebeat"] +# Prepare permanent data +# Sync calls are due to https://github.com/docker/docker/issues/9547 +COPY config/permanent_data.env config/permanent_data.sh / +RUN chmod 755 /permanent_data.sh && \ + sync && /permanent_data.sh && \ + sync && rm /permanent_data.sh # Services ports EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp - -ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat -RUN chmod go-w /etc/filebeat/wazuh-template.json - ENTRYPOINT [ "/init" ] diff --git a/wazuh/config/etc/cont-init.d/0-wazuh-init b/wazuh/config/etc/cont-init.d/0-wazuh-init index 10796414..2fb840dd 100644 --- a/wazuh/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh/config/etc/cont-init.d/0-wazuh-init @@ -4,14 +4,18 @@ # Wazuh container bootstrap. See the README for information of the environment # variables expected by this script. -# Startup the services - -FIRST_TIME_INSTALLATION=true +# Variables +source /permanent_data.env WAZUH_INSTALL_PATH=/var/ossec -DATA_PATH=${WAZUH_INSTALL_PATH}/data - WAZUH_CONFIG_MOUNT=/wazuh-config-mount +AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} +API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} + + +############################################################################## +# Aux functions +############################################################################## print() { echo -e $1 @@ -31,72 +35,219 @@ exec_cmd_stdout() { eval $1 2>&1 || error_and_exit "$1" } +############################################################################## +# Edit configuration +############################################################################## + edit_configuration() { # $1 -> setting, $2 -> value sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" } -if [ -e ${WAZUH_INSTALL_PATH}/etc-template ] -then - cp -p /var/ossec/etc-template/internal_options.conf /var/ossec/etc/internal_options.conf -fi -rm /var/ossec/queue/db/.template.db +############################################################################## +# This function will attempt to mount every directory in PERMANENT_DATA +# into the respective path. +# If the path is empty means permanent data volume is also empty, so a backup +# will be copied into it. Otherwise it will not be copied because there is +# already data inside the volume for the specified path. +############################################################################## -touch ${DATA_PATH}/process_list -chgrp ossec ${DATA_PATH}/process_list -chmod g+rw ${DATA_PATH}/process_list - -AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} -API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} +mount_permanent_data() { + for permanent_dir in "${PERMANENT_DATA[@]}"; do + # Check if the path is not empty + if find ${permanent_dir} -mindepth 1 | read; then + print "The path ${permanent_dir} is already mounted" + else + print "Installing ${permanent_dir}" + exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}" + fi + done +} ############################################################################## -# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect +# This function will replace from the permanent data volume every file +# contained in PERMANENT_DATA_EXCP +# Some files as 'internal_options.conf' are saved as permanent data, but +# they must be updated to work properly if wazuh version is changed. +############################################################################## + +apply_exclusion_data() { + for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do + if [ -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ] + then + DIR=$(dirname "${exclusion_file}") + if [ ! -e ${DIR} ] + then + mkdir -p ${DIR} + fi + + print "Updating ${exclusion_file}" + exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}" + fi + done +} + +############################################################################## +# This function will delete from the permanent data volume every file +# contained in PERMANENT_DATA_DEL +############################################################################## + +remove_data_files() { + for del_file in "${PERMANENT_DATA_DEL[@]}"; do + if [ -e ${del_file} ] + then + print "Removing ${del_file}" + exec_cmd "rm ${del_file}" + fi + done +} + +############################################################################## +# Create certificates: Manager +############################################################################## + +create_ossec_key_cert() { + print "Creating ossec-authd key and cert" + exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096" + exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/" +} + +############################################################################## +# Create certificates: API +############################################################################## + +create_api_key_cert() { + print "Enabling Wazuh API HTTPS" + edit_configuration "https" "yes" + print "Create Wazuh API key and cert" + exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096" + exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/" + + # Granting proper permissions + chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key + chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt +} + +############################################################################## +# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect # destination files permissions # # For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at # $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will # replace the ossec.conf file in /var/ossec/data/etc with yours. ############################################################################## -if [ -e "$WAZUH_CONFIG_MOUNT" ] -then - print "Identified Wazuh configuration files to mount..." - exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH" -else - print "No Wazuh configuration files to mount..." -fi +mount_files() { + if [ -e "$WAZUH_CONFIG_MOUNT" ] + then + print "Identified Wazuh configuration files to mount..." + exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH" + else + print "No Wazuh configuration files to mount..." + fi +} + + +############################################################################## +# Stop OSSEC +############################################################################## function ossec_shutdown(){ ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; } -# Trap exit signals and do a proper shutdown -trap "ossec_shutdown; exit" SIGINT SIGTERM - -chmod -R g+rw ${DATA_PATH} - ############################################################################## # Interpret any passed arguments (via docker command to this entrypoint) as -# paths or commands, and execute them. +# paths or commands, and execute them. # # This can be useful for actions that need to be run before the services are # started, such as "/var/ossec/bin/ossec-control enable agentless". ############################################################################## -for CUSTOM_COMMAND in "$@" -do - echo "Executing command \`${CUSTOM_COMMAND}\`" - exec_cmd_stdout "${CUSTOM_COMMAND}" -done + +docker_custom_args() { + for CUSTOM_COMMAND in "$@" + do + echo "Executing command \`${CUSTOM_COMMAND}\`" + exec_cmd_stdout "${CUSTOM_COMMAND}" + done +} ############################################################################## # Change Wazuh API user credentials. ############################################################################## -pushd /var/ossec/api/configuration/auth/ +change_api_user_credentials() { + pushd /var/ossec/api/configuration/auth/ + if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + WAZUH_API_USER=${API_USER} + WAZUH_API_PASS=${API_PASS} + else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"WAZUH_API_USER"* ]]; then + arrIN=(${line//:/ }) + WAZUH_API_USER=${arrIN[1]} + elif [[ $line == *"WAZUH_API_PASS"* ]]; then + arrIN=(${line//:/ }) + WAZUH_API_PASS=${arrIN[1]} + fi + done < "$input" + fi -env + echo "Change Wazuh API user credentials" + change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS" + eval $change_user + popd +} -echo "Change Wazuh API user credentials" -change_user="node htpasswd -b -c user $API_USER $API_PASS" -eval $change_user -popd +############################################################################## +# Main function +############################################################################## + +main() { + # Mount permanent data (i.e. ossec.conf) + mount_permanent_data + + # Restore files stored in permanent data that are not permanent (i.e. internal_options.conf) + apply_exclusion_data + + # Remove some files in permanent_data (i.e. .template.db) + remove_data_files + + # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist + if [ $AUTO_ENROLLMENT_ENABLED == true ] + then + if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ] + then + create_ossec_key_cert + fi + fi + + # Generate API certs if API_GENERATE_CERTS is true and does not exist + if [ $API_GENERATE_CERTS == true ] + then + if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ] + then + create_api_key_cert + fi + fi + + # Mount selected files (WAZUH_CONFIG_MOUNT) to container + mount_files + + # Trap exit signals and do a proper shutdown + trap "ossec_shutdown; exit" SIGINT SIGTERM + + # Execute custom args + docker_custom_args + + # Change API user credentials + change_api_user_credentials + + # Delete temporary data folder + rm -rf ${WAZUH_INSTALL_PATH}/data_tmp + +} + +main diff --git a/wazuh/config/init.bash b/wazuh/config/init.bash deleted file mode 100644 index e40fab94..00000000 --- a/wazuh/config/init.bash +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -# Initialize the custom data directory layout -source /data_dirs.env - -cd /var/ossec -for ossecdir in "${DATA_DIRS[@]}"; do - mv ${ossecdir} ${ossecdir}-template - ln -s $(realpath --relative-to=$(dirname ${ossecdir}) data)/${ossecdir} ${ossecdir} -done diff --git a/wazuh/config/permanent_data.env b/wazuh/config/permanent_data.env new file mode 100644 index 00000000..b19409ac --- /dev/null +++ b/wazuh/config/permanent_data.env @@ -0,0 +1,61 @@ +# Permanent data mounted in volumes +i=0 +PERMANENT_DATA[((i++))]="/var/ossec/api/configuration" +PERMANENT_DATA[((i++))]="/var/ossec/etc" +PERMANENT_DATA[((i++))]="/var/ossec/logs" +PERMANENT_DATA[((i++))]="/var/ossec/queue" +PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups" +PERMANENT_DATA[((i++))]="/var/ossec/integrations" +PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin" +PERMANENT_DATA[((i++))]="/var/ossec/wodles" +PERMANENT_DATA[((i++))]="/etc/filebeat" +export PERMANENT_DATA + +# Files mounted in a volume that should not be permanent +i=0 +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-redhat-6-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-redhat-7-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-centos-6-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-centos-7-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-fedora-24-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-rhel-6-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-rhel-7-ds.xml" +export PERMANENT_DATA_EXCP + +# Files mounted in a volume that should be deleted +i=0 +PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db" +export PERMANENT_DATA_DEL diff --git a/wazuh/config/permanent_data.sh b/wazuh/config/permanent_data.sh new file mode 100644 index 00000000..7a9d55b4 --- /dev/null +++ b/wazuh/config/permanent_data.sh @@ -0,0 +1,40 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +# Variables +source /permanent_data.env + +WAZUH_INSTALL_PATH=/var/ossec +DATA_TMP_PATH=${WAZUH_INSTALL_PATH}/data_tmp +mkdir ${DATA_TMP_PATH} + +# Move exclusion files to EXCLUSION_PATH +EXCLUSION_PATH=${DATA_TMP_PATH}/exclusion +mkdir ${EXCLUSION_PATH} + +for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do + # Create the directory for the exclusion file if it does not exist + DIR=$(dirname "${exclusion_file}") + if [ ! -e ${EXCLUSION_PATH}/${DIR} ] + then + mkdir -p ${EXCLUSION_PATH}/${DIR} + fi + + mv ${exclusion_file} ${EXCLUSION_PATH}/${exclusion_file} +done + +# Move permanent files to PERMANENT_PATH +PERMANENT_PATH=${DATA_TMP_PATH}/permanent +mkdir ${PERMANENT_PATH} + +for permanent_dir in "${PERMANENT_DATA[@]}"; do + # Create the directory for the permanent file if it does not exist + DIR=$(dirname "${permanent_dir}") + if [ ! -e ${PERMANENT_PATH}${DIR} ] + then + mkdir -p ${PERMANENT_PATH}${DIR} + fi + + mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir} + +done \ No newline at end of file From a34dbb04b760293168aa37a0a552683c12628215 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 16 Jan 2020 16:03:47 +0100 Subject: [PATCH 014/156] Fix wazuh path --- wazuh/config/etc/cont-init.d/0-wazuh-init | 41 ++++++----------------- 1 file changed, 10 insertions(+), 31 deletions(-) diff --git a/wazuh/config/etc/cont-init.d/0-wazuh-init b/wazuh/config/etc/cont-init.d/0-wazuh-init index 2fb840dd..31092537 100644 --- a/wazuh/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh/config/etc/cont-init.d/0-wazuh-init @@ -1,8 +1,5 @@ #!/usr/bin/with-contenv bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -# Wazuh container bootstrap. See the README for information of the environment -# variables expected by this script. +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) # Variables source /permanent_data.env @@ -16,31 +13,31 @@ API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} ############################################################################## # Aux functions ############################################################################## - print() { - echo -e $1 + echo -e $1 } error_and_exit() { - echo "Error executing command: '$1'." - echo 'Exiting.' - exit 1 + echo "Error executing command: '$1'." + echo 'Exiting.' + exit 1 } exec_cmd() { - eval $1 > /dev/null 2>&1 || error_and_exit "$1" + eval $1 > /dev/null 2>&1 || error_and_exit "$1" } exec_cmd_stdout() { - eval $1 2>&1 || error_and_exit "$1" + eval $1 2>&1 || error_and_exit "$1" } + ############################################################################## # Edit configuration ############################################################################## edit_configuration() { # $1 -> setting, $2 -> value - sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" + sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" } ############################################################################## @@ -146,7 +143,6 @@ mount_files() { fi } - ############################################################################## # Stop OSSEC ############################################################################## @@ -177,25 +173,8 @@ docker_custom_args() { change_api_user_credentials() { pushd /var/ossec/api/configuration/auth/ - if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then - WAZUH_API_USER=${API_USER} - WAZUH_API_PASS=${API_PASS} - else - input=${SECURITY_CREDENTIALS_FILE} - while IFS= read -r line - do - if [[ $line == *"WAZUH_API_USER"* ]]; then - arrIN=(${line//:/ }) - WAZUH_API_USER=${arrIN[1]} - elif [[ $line == *"WAZUH_API_PASS"* ]]; then - arrIN=(${line//:/ }) - WAZUH_API_PASS=${arrIN[1]} - fi - done < "$input" - fi - echo "Change Wazuh API user credentials" - change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS" + change_user="node htpasswd -b -c user $API_USER $API_PASS" eval $change_user popd } From 7f7fbd39e10a80a28815679c0e47610785615337 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 16 Jan 2020 16:41:29 +0100 Subject: [PATCH 015/156] Switch default API entry to https --- kibana/config/wazuh_app_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh index be224913..f0fbd720 100644 --- a/kibana/config/wazuh_app_config.sh +++ b/kibana/config/wazuh_app_config.sh @@ -1,7 +1,7 @@ #!/bin/bash # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -wazuh_url="${WAZUH_API_URL:-http://wazuh}" +wazuh_url="${WAZUH_API_URL:-https://wazuh}" wazuh_port="${API_PORT:-55000}" api_user="${API_USER:-foo}" api_password="${API_PASS:-bar}" From dcc0634b95026d706e5cc550e733654fd4f1a376 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Mon, 20 Jan 2020 12:46:30 +0100 Subject: [PATCH 016/156] Include required volumes and upgrade docker-compose format version --- docker-compose.yml | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 65421280..aa8896a6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,5 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -version: '2' +version: '3.7' services: wazuh: @@ -11,6 +11,17 @@ services: - "1515:1515" - "514:514/udp" - "55000:55000" + volumes: + - ossec_api_configuration:/var/ossec/api/configuration + - ossec_etc:/var/ossec/etc + - ossec_logs:/var/ossec/logs + - ossec_queue:/var/ossec/queue + - ossec_var_multigroups:/var/ossec/var/multigroups + - ossec_integrations:/var/ossec/integrations + - ossec_active_response:/var/ossec/active-response/bin + - ossec_wodles:/var/ossec/wodles + - filebeat_etc:/etc/filebeat_etc + - filebeat_var:/var/lib/filebeat elasticsearch: build: elasticsearch hostname: elasticsearch @@ -26,7 +37,6 @@ services: memlock: soft: -1 hard: -1 - mem_limit: 2g kibana: build: kibana hostname: kibana @@ -50,3 +60,15 @@ services: - kibana links: - kibana:kibana + +volumes: + ossec_api_configuration: + ossec_etc: + ossec_logs: + ossec_queue: + ossec_var_multigroups: + ossec_integrations: + ossec_active_response: + ossec_wodles: + filebeat_etc: + filebeat_var: From 2e228eada471e3b998785163ca3d710e4419f59f Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 23 Jan 2020 15:21:31 +0100 Subject: [PATCH 017/156] Bump Nodejs to v10 --- wazuh/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 92dad7c0..db7cb766 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -17,7 +17,7 @@ COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo RUN yum --enablerepo=updates clean metadata && \ yum -y install openssl && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ - curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - && \ + curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - && \ yum -y install nodejs && yum -y install wazuh-api-${WAZUH_VERSION} && \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ yum clean all && rm -rf /var/cache/yum From 0b6d5c99b1795cb63e9347c9da0569d31c1cf248 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 23 Jan 2020 15:22:23 +0100 Subject: [PATCH 018/156] Fix filebeat version --- wazuh/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index db7cb766..1d0397f5 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -22,8 +22,8 @@ RUN yum --enablerepo=updates clean metadata && \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ yum clean all && rm -rf /var/cache/yum -RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ - rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm +RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\ + rpm -i filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm RUN curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/elasticsearch/7.x/wazuh-template.json &&\ chmod go+r /etc/filebeat/wazuh-template.json From 5db55032b7057a2c68e1f99c22564dc3797c2e67 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 23 Jan 2020 15:35:53 +0100 Subject: [PATCH 019/156] Add which command (required by manager) --- wazuh/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 1d0397f5..e4ce18b4 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -16,7 +16,7 @@ RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo RUN yum --enablerepo=updates clean metadata && \ - yum -y install openssl && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ + yum -y install openssl which && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - && \ yum -y install nodejs && yum -y install wazuh-api-${WAZUH_VERSION} && \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ From eefaed3edee44e431a14dc084dd1c631f012d62e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 23 Jan 2020 17:13:32 +0100 Subject: [PATCH 020/156] Bump version to 3.11.2 --- elasticsearch/Dockerfile | 2 +- kibana/Dockerfile | 2 +- wazuh/Dockerfile | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index 66a00475..d9267888 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -15,7 +15,7 @@ ENV XPACK_ML="true" ENV ENABLE_CONFIGURE_S3="false" -ARG TEMPLATE_VERSION=v3.11.1 +ARG TEMPLATE_VERSION=v3.11.2 # Elasticearch cluster configuration environment variables # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 79715c91..4df1c3a2 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -2,7 +2,7 @@ FROM docker.elastic.co/kibana/kibana:7.5.1 USER kibana ARG ELASTIC_VERSION=7.5.1 -ARG WAZUH_VERSION=3.11.1 +ARG WAZUH_VERSION=3.11.2 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" #ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /usr/share/kibana/ diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index e4ce18b4..b25a6000 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -2,8 +2,8 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.5.1 -ARG WAZUH_VERSION=3.11.1-1 -ARG TEMPLATE_VERSION="v3.11.1" +ARG WAZUH_VERSION=3.11.2-1 +ARG TEMPLATE_VERSION="v3.11.2" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" ENV API_USER="foo" \ From c32e306a3788c36618e03b181a078ed729ee79d8 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 30 Jan 2020 16:44:36 +0100 Subject: [PATCH 021/156] Bump to version 3.11.3_7.5.2 --- VERSION | 4 ++-- elasticsearch/Dockerfile | 4 ++-- kibana/Dockerfile | 6 +++--- wazuh/Dockerfile | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/VERSION b/VERSION index a6dcc8c8..7e59f57a 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="3.11.1_7.5.1" -REVISION="31110" +WAZUH-DOCKER_VERSION="3.11.3_7.5.2" +REVISION="31130" diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index d9267888..679738a9 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -1,5 +1,5 @@ # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -ARG ELASTIC_VERSION=7.5.1 +ARG ELASTIC_VERSION=7.5.2 FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip" @@ -15,7 +15,7 @@ ENV XPACK_ML="true" ENV ENABLE_CONFIGURE_S3="false" -ARG TEMPLATE_VERSION=v3.11.2 +ARG TEMPLATE_VERSION=v3.11.3 # Elasticearch cluster configuration environment variables # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 4df1c3a2..9c79c12c 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,8 +1,8 @@ # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:7.5.1 +FROM docker.elastic.co/kibana/kibana:7.5.2 USER kibana -ARG ELASTIC_VERSION=7.5.1 -ARG WAZUH_VERSION=3.11.2 +ARG ELASTIC_VERSION=7.5.2 +ARG WAZUH_VERSION=3.11.3 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" #ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /usr/share/kibana/ diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index b25a6000..d25dbeb7 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,9 +1,9 @@ # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) FROM centos:7 -ARG FILEBEAT_VERSION=7.5.1 -ARG WAZUH_VERSION=3.11.2-1 -ARG TEMPLATE_VERSION="v3.11.2" +ARG FILEBEAT_VERSION=7.5.2 +ARG WAZUH_VERSION=3.11.3-1 +ARG TEMPLATE_VERSION="v3.11.3" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" ENV API_USER="foo" \ From effa44687222bc900ab38e6e058ab5874d5fbe5c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 30 Jan 2020 16:46:07 +0100 Subject: [PATCH 022/156] Fix volume mount point --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index aa8896a6..c754699d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,7 +20,7 @@ services: - ossec_integrations:/var/ossec/integrations - ossec_active_response:/var/ossec/active-response/bin - ossec_wodles:/var/ossec/wodles - - filebeat_etc:/etc/filebeat_etc + - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat elasticsearch: build: elasticsearch From 03f4e399783bb819d37bb4f39769293410576a01 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Mon, 3 Feb 2020 13:18:03 +0100 Subject: [PATCH 023/156] Update Nginx config syntax --- nginx/config/entrypoint.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nginx/config/entrypoint.sh b/nginx/config/entrypoint.sh index 468c8a92..06b24c3f 100644 --- a/nginx/config/entrypoint.sh +++ b/nginx/config/entrypoint.sh @@ -60,9 +60,8 @@ server { } server { - listen ${NGINX_PORT} default_server; - listen [::]:${NGINX_PORT}; - ssl on; + listen ${NGINX_PORT} default_server ssl; + listen [::]:${NGINX_PORT} ssl; ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem; ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key; location / { From 82bb977b9c2a10bdc668bbbf70a1c49bb051b8bd Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Mon, 3 Feb 2020 16:36:26 +0100 Subject: [PATCH 024/156] Switch entrypoint to json format --- nginx/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index f348cb19..b1f0e986 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -15,4 +15,4 @@ VOLUME ["/etc/nginx/conf.d"] ENV NGINX_NAME="foo" \ NGINX_PWD="bar" -ENTRYPOINT /entrypoint.sh +ENTRYPOINT [ "/entrypoint.sh" ] From 159aaf43acd04ec7e8376f252252991b8380ba15 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Mon, 3 Feb 2020 16:38:22 +0100 Subject: [PATCH 025/156] Exec nginx as PID 1 --- nginx/config/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/config/entrypoint.sh b/nginx/config/entrypoint.sh index 06b24c3f..e2488ba8 100644 --- a/nginx/config/entrypoint.sh +++ b/nginx/config/entrypoint.sh @@ -75,4 +75,4 @@ server { } EOF -nginx -g 'daemon off;' +exec nginx -g 'daemon off;' From 358c8750a454ce2dcc73e36ee5ac4c8fd15e8437 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 4 Feb 2020 12:23:24 +0100 Subject: [PATCH 026/156] Use batch mode on htpasswd --- nginx/config/entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nginx/config/entrypoint.sh b/nginx/config/entrypoint.sh index e2488ba8..2c802d55 100644 --- a/nginx/config/entrypoint.sh +++ b/nginx/config/entrypoint.sh @@ -30,14 +30,14 @@ if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then do IFS=':' read -r -a credentials <<< "${users[index]}" if [ $index -eq 0 ]; then - echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null + htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null else - echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null + htpasswd -b /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null fi done else # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile - echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null + htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME $NGINX_PWD >/dev/null fi else echo "Kibana credentials already configured" From 3a2568879a6dc8352db6ce78604d773d71a3cde3 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 5 Feb 2020 12:19:40 +0100 Subject: [PATCH 027/156] Enable HTTP v2 --- nginx/config/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx/config/entrypoint.sh b/nginx/config/entrypoint.sh index 2c802d55..b7c23c64 100644 --- a/nginx/config/entrypoint.sh +++ b/nginx/config/entrypoint.sh @@ -60,8 +60,8 @@ server { } server { - listen ${NGINX_PORT} default_server ssl; - listen [::]:${NGINX_PORT} ssl; + listen ${NGINX_PORT} default_server ssl http2; + listen [::]:${NGINX_PORT} ssl http2; ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem; ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key; location / { From 2e08f91f6255c751b842eac92a7f72c70b6df80e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 5 Feb 2020 18:02:25 +0100 Subject: [PATCH 028/156] Replace nginx rebuild with nginx_conf --- nginx/Dockerfile | 18 ----- nginx/config/entrypoint.sh | 78 --------------------- nginx_conf/kibana-web.conf | 20 ++++++ nginx_conf/kibana.htpasswd | 1 + nginx_conf/ssl/README.md | 23 ++++++ nginx_conf/ssl/generate-self-signed-cert.sh | 9 +++ 6 files changed, 53 insertions(+), 96 deletions(-) delete mode 100644 nginx/Dockerfile delete mode 100644 nginx/config/entrypoint.sh create mode 100644 nginx_conf/kibana-web.conf create mode 100644 nginx_conf/kibana.htpasswd create mode 100644 nginx_conf/ssl/README.md create mode 100644 nginx_conf/ssl/generate-self-signed-cert.sh diff --git a/nginx/Dockerfile b/nginx/Dockerfile deleted file mode 100644 index b1f0e986..00000000 --- a/nginx/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM nginx:latest - -ENV DEBIAN_FRONTEND noninteractive - -RUN apt-get update && apt-get install -y openssl apache2-utils && \ - apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* - -COPY config/entrypoint.sh /entrypoint.sh - -RUN chmod 755 /entrypoint.sh - -VOLUME ["/etc/nginx/conf.d"] - -ENV NGINX_NAME="foo" \ - NGINX_PWD="bar" - -ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/nginx/config/entrypoint.sh b/nginx/config/entrypoint.sh deleted file mode 100644 index b7c23c64..00000000 --- a/nginx/config/entrypoint.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -set -e - -# Generating certificates. -if [ ! -d /etc/nginx/conf.d/ssl ]; then - echo "Generating SSL certificates" - mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private - openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null -else - echo "SSL certificates already present" -fi - -# Setting users credentials. -# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b): -# -# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or -# export NGINX_CREDENTIALS="user1:pass1;user2:pass2" -# -# b) Set NGINX_CREDENTIALS in docker-compose.yml: -# NGINX_CREDENTIALS=user1:pass1;user2:pass2; or -# NGINX_CREDENTIALS=user1:pass1;user2:pass2 -# -if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then - echo "Setting users credentials" - if [ ! -z "$NGINX_CREDENTIALS" ]; then - IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS" - for index in "${!users[@]}" - do - IFS=':' read -r -a credentials <<< "${users[index]}" - if [ $index -eq 0 ]; then - htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null - else - htpasswd -b /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null - fi - done - else - # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile - htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME $NGINX_PWD >/dev/null - fi -else - echo "Kibana credentials already configured" -fi - -if [ "x${NGINX_PORT}" = "x" ]; then - NGINX_PORT=443 -fi - -if [ "x${KIBANA_HOST}" = "x" ]; then - KIBANA_HOST="kibana:5601" -fi - -echo "Configuring NGINX" -cat > /etc/nginx/conf.d/default.conf < Date: Wed, 5 Feb 2020 18:04:38 +0100 Subject: [PATCH 029/156] Switch to nginx:stable on docker-compose --- docker-compose.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c754699d..7f069a80 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -47,12 +47,9 @@ services: - elasticsearch:elasticsearch - wazuh:wazuh nginx: - build: nginx + image: nginx:stable hostname: nginx restart: always - environment: - - NGINX_PORT=443 - - NGINX_CREDENTIALS ports: - "80:80" - "443:443" @@ -60,6 +57,8 @@ services: - kibana links: - kibana:kibana + volumes: + - ./nginx_conf:/etc/nginx/conf.d:ro volumes: ossec_api_configuration: From 10225496e1792317e8ed54f0395d0a579b1badc2 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 5 Feb 2020 18:21:24 +0100 Subject: [PATCH 030/156] Enable nginx settings --- nginx_conf/kibana-web.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nginx_conf/kibana-web.conf b/nginx_conf/kibana-web.conf index be3fa5b0..b3821747 100644 --- a/nginx_conf/kibana-web.conf +++ b/nginx_conf/kibana-web.conf @@ -13,8 +13,8 @@ server { auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://kibana:5601/; -# proxy_buffer_size 128k; -# proxy_buffers 4 256k; -# proxy_busy_buffers_size 256k; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; } } From 1eb4a53c539808af14a19b371776ff887ff7e94b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 5 Feb 2020 18:21:52 +0100 Subject: [PATCH 031/156] Update docs --- README.md | 2 +- nginx_conf/ssl/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6d7a8096..1280fc93 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ In this repository you will find the containers to run: * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack) * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. -* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme). +* nginx: Proxies the Kibana container, adding HTTPS (via your [own certificate or self-signed](nginx_conf/ssl/README.md)) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme). **It is required to set up SSL certificate before deploying** * wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** In addition, a docker-compose file is provided to launch the containers mentioned above. diff --git a/nginx_conf/ssl/README.md b/nginx_conf/ssl/README.md index 9c44ff23..e6233613 100644 --- a/nginx_conf/ssl/README.md +++ b/nginx_conf/ssl/README.md @@ -18,6 +18,6 @@ nginx_conf/ #### Using a Self Signed Certificate -In case you want to use a self-signed certificate we provided a script to generate one. You may create your own with more relevant information. +In case you want to use a self-signed certificate we provided a script to generate one. Execute `bash generate-self-signed-cert.sh` on this same directory and the right files will be generated. You must have installed `openssl` locally. From 9564adf54a759cdcbaea7daab223bcbec33be98f Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 31 Mar 2020 19:48:06 +0200 Subject: [PATCH 032/156] Update nginx_conf Readme --- nginx_conf/{ssl => }/README.md | 13 ++++++++++++- nginx_conf/kibana.htpasswd | 1 - nginx_conf/ssl/generate-self-signed-cert.sh | 3 +++ 3 files changed, 15 insertions(+), 2 deletions(-) rename nginx_conf/{ssl => }/README.md (61%) delete mode 100644 nginx_conf/kibana.htpasswd diff --git a/nginx_conf/ssl/README.md b/nginx_conf/README.md similarity index 61% rename from nginx_conf/ssl/README.md rename to nginx_conf/README.md index e6233613..aef42766 100644 --- a/nginx_conf/ssl/README.md +++ b/nginx_conf/README.md @@ -20,4 +20,15 @@ nginx_conf/ In case you want to use a self-signed certificate we provided a script to generate one. -Execute `bash generate-self-signed-cert.sh` on this same directory and the right files will be generated. You must have installed `openssl` locally. +Execute `bash generate-self-signed-cert.sh` inside the `ssl` directory and it will be generated. You must install `openssl` first. + + +### Setup Basic Authentication + +The nginx configuration expects the file `kibana.htpasswd`. + +This file can be generated with the `htpasswd` command. + +```bash +htpasswd -c kibana.htpasswd username +``` diff --git a/nginx_conf/kibana.htpasswd b/nginx_conf/kibana.htpasswd deleted file mode 100644 index 5008c153..00000000 --- a/nginx_conf/kibana.htpasswd +++ /dev/null @@ -1 +0,0 @@ -foo:$apr1$WwUDPA87$v9Bj8DS5KF9u1wBTtHH.A/ diff --git a/nginx_conf/ssl/generate-self-signed-cert.sh b/nginx_conf/ssl/generate-self-signed-cert.sh index cf0a56f0..f30fd69d 100644 --- a/nginx_conf/ssl/generate-self-signed-cert.sh +++ b/nginx_conf/ssl/generate-self-signed-cert.sh @@ -1,5 +1,8 @@ #!/bin/bash +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +cd $DIR + if [ -s kibana-access.key ] then echo "Aborting. Certificate already exists" From b4e82984b4de926e75add9abde497e49097fdaab Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 31 Mar 2020 19:48:39 +0200 Subject: [PATCH 033/156] Insert reference to nginx_conf Readme --- README.md | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 1280fc93..dbe25c0b 100644 --- a/README.md +++ b/README.md @@ -9,10 +9,10 @@ In this repository you will find the containers to run: * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack) * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. -* nginx: Proxies the Kibana container, adding HTTPS (via your [own certificate or self-signed](nginx_conf/ssl/README.md)) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme). **It is required to set up SSL certificate before deploying** -* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** +* nginx: Proxies the Kibana container, adding HTTPS (via your [own certificate or self-signed](nginx_conf/README.md)) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme). **It is required to set up SSL certificate before deploying** +* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** -In addition, a docker-compose file is provided to launch the containers mentioned above. +In addition, a docker-compose file is provided to launch the containers mentioned above. * Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml). @@ -22,6 +22,13 @@ In addition, a docker-compose file is provided to launch the containers mentione * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html) * [Docker hub](https://hub.docker.com/u/wazuh) +### Setup SSL certificate and Basic Authentication + +Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth. + +Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md). + + ## Directory structure wazuh-docker @@ -43,10 +50,11 @@ In addition, a docker-compose file is provided to launch the containers mentione │   │   └── xpack_config.sh │   └── Dockerfile ├── LICENSE - ├── nginx - │   ├── config - │   │   └── entrypoint.sh - │   └── Dockerfile + ├── nginx_conf + │   ├── kibana-web.conf + │   ├── README.md + │   └── ssl + │   └── generate-self-signed-cert.sh ├── README.md ├── VERSION └── wazuh @@ -59,17 +67,14 @@ In addition, a docker-compose file is provided to launch the containers mentione │   │   │   └── 2-manager │   │   └── services.d │   │   ├── api - │   │   │   ├── finish - │   │   │   └── run │   │   └── filebeat - │   │   ├── finish - │   │   └── run - │   ├── init.bash + │   ├── filebeat.yml + │   ├── permanent_data.env + │   ├── permanent_data.sh │   └── wazuh.repo └── Dockerfile - ## Branches * `stable` branch on correspond to the latest Wazuh-Docker stable version. From 3a27f55cbafd8d20ac98285ba08beb95c9413470 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 14 Apr 2020 19:23:27 +0200 Subject: [PATCH 034/156] Bump to version 3.12.2_7.6.2 --- CHANGELOG.md | 69 +++++++++++++++++++++++++++++++++++++++- LICENSE | 2 +- README.md | 2 +- VERSION | 4 +-- elasticsearch/Dockerfile | 6 ++-- kibana/Dockerfile | 6 ++-- wazuh/Dockerfile | 6 ++-- 7 files changed, 81 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09bd3987..4d683dfd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,73 @@ # Change Log All notable changes to this project will be documented in this file. +## Wazuh Docker v3.12.2_7.6.2 + +### Added + +- Update to Wazuh version 3.12.2_7.6.2 + +## Wazuh Docker v3.12.1_7.6.2 + +### Added + +- Update to Wazuh version 3.12.1_7.6.2 + +### Fixed + +- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323) + + +## Wazuh Docker v3.12.0_7.6.1 + +### Added + +- Update to Wazuh version 3.12.0_7.6.1 + + +## Wazuh Docker v3.11.4_7.6.1 + +### Added + +- Update to Wazuh version 3.11.4_7.6.1 + +- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308) + +### Fixed + +- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303) + + +## Wazuh Docker v3.11.3_7.5.2 + +### Added + +- Update to Wazuh version 3.11.3_7.5.2 + +## Wazuh Docker v3.11.2_7.5.1 + +### Added + +- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a) + +### Fixed + +- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293) + +## Wazuh Docker v3.11.1_7.5.1 + +### Added + +- Update to Wazuh version 3.11.1_7.5.1 +- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271) +- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261) + +## Wazuh Docker v3.11.0_7.5.1 + +### Added + +- Update to Wazuh version 3.11.0_7.5.1 + ## Wazuh Docker v3.10.2_7.5.0 ### Added @@ -158,7 +225,7 @@ All notable changes to this project will be documented in this file. - Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86)) - Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88)) -### Fixed +### Fixed - Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84)) diff --git a/LICENSE b/LICENSE index 04fb7afc..40f5e6c3 100644 --- a/LICENSE +++ b/LICENSE @@ -1,5 +1,5 @@ - Portions Copyright (C) 2019 Wazuh, Inc. + Portions Copyright (C) 2020 Wazuh, Inc. Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc. This program is a free software; you can redistribute it and/or modify diff --git a/README.md b/README.md index dbe25c0b..fc63d818 100644 --- a/README.md +++ b/README.md @@ -92,7 +92,7 @@ We thank you them and everyone else who has contributed to this project. ## License and copyright -Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) ## Web references diff --git a/VERSION b/VERSION index 7e59f57a..a6f084f7 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="3.11.3_7.5.2" -REVISION="31130" +WAZUH-DOCKER_VERSION="3.12.2_7.6.2" +REVISION="31220" diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index 679738a9..13656b2d 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -1,5 +1,5 @@ -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -ARG ELASTIC_VERSION=7.5.2 +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +ARG ELASTIC_VERSION=7.6.2 FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip" @@ -15,7 +15,7 @@ ENV XPACK_ML="true" ENV ENABLE_CONFIGURE_S3="false" -ARG TEMPLATE_VERSION=v3.11.3 +ARG TEMPLATE_VERSION=v3.12.2 # Elasticearch cluster configuration environment variables # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 9c79c12c..729ae500 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,8 +1,8 @@ # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:7.5.2 +FROM docker.elastic.co/kibana/kibana:7.6.2 USER kibana -ARG ELASTIC_VERSION=7.5.2 -ARG WAZUH_VERSION=3.11.3 +ARG ELASTIC_VERSION=7.6.2 +ARG WAZUH_VERSION=3.12.2 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" #ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /usr/share/kibana/ diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index d25dbeb7..9509793b 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,9 +1,9 @@ # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) FROM centos:7 -ARG FILEBEAT_VERSION=7.5.2 -ARG WAZUH_VERSION=3.11.3-1 -ARG TEMPLATE_VERSION="v3.11.3" +ARG FILEBEAT_VERSION=7.6.2 +ARG WAZUH_VERSION=3.12.2-1 +ARG TEMPLATE_VERSION="v3.12.2" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" ENV API_USER="foo" \ From 49cb2949337a3ad1123b366b607d9829fcc5335b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 14 Apr 2020 19:27:40 +0200 Subject: [PATCH 035/156] Bump copyright year --- docker-compose.yml | 2 +- elasticsearch/config/config_cluster.sh | 2 +- elasticsearch/config/configure_s3.sh | 4 ++-- elasticsearch/config/entrypoint.sh | 2 +- elasticsearch/config/load_settings.sh | 2 +- kibana/Dockerfile | 2 +- kibana/config/entrypoint.sh | 2 +- kibana/config/kibana_settings.sh | 2 +- kibana/config/wazuh_app_config.sh | 2 +- kibana/config/welcome_wazuh.sh | 2 +- kibana/config/xpack_config.sh | 2 +- wazuh/Dockerfile | 2 +- wazuh/config/etc/cont-init.d/0-wazuh-init | 2 +- wazuh/config/etc/cont-init.d/1-config-filebeat | 2 +- wazuh/config/permanent_data.sh | 4 ++-- 15 files changed, 17 insertions(+), 17 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 7f069a80..46ef19be 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) version: '3.7' services: diff --git a/elasticsearch/config/config_cluster.sh b/elasticsearch/config/config_cluster.sh index 31b563bf..e58b423c 100644 --- a/elasticsearch/config/config_cluster.sh +++ b/elasticsearch/config/config_cluster.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" diff --git a/elasticsearch/config/configure_s3.sh b/elasticsearch/config/configure_s3.sh index 5d4e3901..010236ce 100644 --- a/elasticsearch/config/configure_s3.sh +++ b/elasticsearch/config/configure_s3.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) set -e @@ -74,4 +74,4 @@ function Main() CreateRepo $1 $2 $3 $4 $5 $6 } -Main $# $1 $2 $3 $4 $5 \ No newline at end of file +Main $# $1 $2 $3 $4 $5 diff --git a/elasticsearch/config/entrypoint.sh b/elasticsearch/config/entrypoint.sh index 5b42adb7..cfeb7705 100644 --- a/elasticsearch/config/entrypoint.sh +++ b/elasticsearch/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) # For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh diff --git a/elasticsearch/config/load_settings.sh b/elasticsearch/config/load_settings.sh index 65f90a76..2754b84f 100644 --- a/elasticsearch/config/load_settings.sh +++ b/elasticsearch/config/load_settings.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) set -e diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 729ae500..eef99747 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,4 +1,4 @@ -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) FROM docker.elastic.co/kibana/kibana:7.6.2 USER kibana ARG ELASTIC_VERSION=7.6.2 diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh index 87bbef39..1c445e10 100644 --- a/kibana/config/entrypoint.sh +++ b/kibana/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) set -e diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index cb4151fa..adb968e0 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) WAZUH_MAJOR=3 diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh index f0fbd720..ea09b23d 100644 --- a/kibana/config/wazuh_app_config.sh +++ b/kibana/config/wazuh_app_config.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) wazuh_url="${WAZUH_API_URL:-https://wazuh}" wazuh_port="${API_PORT:-55000}" diff --git a/kibana/config/welcome_wazuh.sh b/kibana/config/welcome_wazuh.sh index fb90b949..98306871 100644 --- a/kibana/config/welcome_wazuh.sh +++ b/kibana/config/welcome_wazuh.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) if [[ $CHANGE_WELCOME == "true" ]] then diff --git a/kibana/config/xpack_config.sh b/kibana/config/xpack_config.sh index 84a1a942..98e4a656 100644 --- a/kibana/config/xpack_config.sh +++ b/kibana/config/xpack_config.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) kibana_config_file="/usr/share/kibana/config/kibana.yml" if grep -Fq "#xpack features" "$kibana_config_file"; diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 9509793b..45344ded 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,4 +1,4 @@ -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) FROM centos:7 ARG FILEBEAT_VERSION=7.6.2 diff --git a/wazuh/config/etc/cont-init.d/0-wazuh-init b/wazuh/config/etc/cont-init.d/0-wazuh-init index 31092537..b0cbd001 100644 --- a/wazuh/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh/config/etc/cont-init.d/0-wazuh-init @@ -1,5 +1,5 @@ #!/usr/bin/with-contenv bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) # Variables source /permanent_data.env diff --git a/wazuh/config/etc/cont-init.d/1-config-filebeat b/wazuh/config/etc/cont-init.d/1-config-filebeat index f968f638..181e3e1a 100644 --- a/wazuh/config/etc/cont-init.d/1-config-filebeat +++ b/wazuh/config/etc/cont-init.d/1-config-filebeat @@ -1,5 +1,5 @@ #!/usr/bin/with-contenv bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) set -e diff --git a/wazuh/config/permanent_data.sh b/wazuh/config/permanent_data.sh index 7a9d55b4..7dfaa647 100644 --- a/wazuh/config/permanent_data.sh +++ b/wazuh/config/permanent_data.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) # Variables source /permanent_data.env @@ -37,4 +37,4 @@ for permanent_dir in "${PERMANENT_DATA[@]}"; do mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir} -done \ No newline at end of file +done From a580c0f05b197cb2d8d4e9bff8781b71b082f711 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 15 Apr 2020 16:19:13 +0200 Subject: [PATCH 036/156] Set NODE_OPTIONS on kibana optimize --- kibana/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana/Dockerfile b/kibana/Dockerfile index eef99747..efd70883 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -71,6 +71,6 @@ RUN chmod +x ./welcome_wazuh.sh RUN ./welcome_wazuh.sh USER kibana -RUN /usr/local/bin/kibana-docker --optimize +RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize ENTRYPOINT ./entrypoint.sh From 8f660d06e041a6115127b02f214257eb487dd4a9 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 15 Apr 2020 16:26:43 +0200 Subject: [PATCH 037/156] Install Wazuh plugin from kibana folder --- kibana/Dockerfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/kibana/Dockerfile b/kibana/Dockerfile index efd70883..5e7c2f58 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -5,11 +5,10 @@ ARG ELASTIC_VERSION=7.6.2 ARG WAZUH_VERSION=3.12.2 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" -#ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /usr/share/kibana/ - -RUN /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip -# RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip +WORKDIR /usr/share/kibana +RUN ./bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip +WORKDIR / USER root COPY config/entrypoint.sh ./entrypoint.sh RUN chmod 755 ./entrypoint.sh From 618169bffb14b513a23e8e89116aaf63720897cf Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 15 Apr 2020 19:04:47 +0200 Subject: [PATCH 038/156] Remove obsolete data_dirs.env --- README.md | 1 - wazuh/config/data_dirs.env | 15 --------------- 2 files changed, 16 deletions(-) delete mode 100644 wazuh/config/data_dirs.env diff --git a/README.md b/README.md index fc63d818..e28fe2fc 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,6 @@ Documentation on how to provide these two can be found at [nginx_conf/README.md] ├── VERSION └── wazuh ├── config - │   ├── data_dirs.env │   ├── etc │   │   ├── cont-init.d │   │   │   ├── 0-wazuh-init diff --git a/wazuh/config/data_dirs.env b/wazuh/config/data_dirs.env deleted file mode 100644 index b91f4cc7..00000000 --- a/wazuh/config/data_dirs.env +++ /dev/null @@ -1,15 +0,0 @@ -i=0 -DATA_DIRS[((i++))]="api/configuration" -DATA_DIRS[((i++))]="etc" -DATA_DIRS[((i++))]="logs" -DATA_DIRS[((i++))]="queue/db" -DATA_DIRS[((i++))]="queue/rootcheck" -DATA_DIRS[((i++))]="queue/agent-groups" -DATA_DIRS[((i++))]="queue/agent-info" -DATA_DIRS[((i++))]="queue/agents-timestamp" -DATA_DIRS[((i++))]="queue/agentless" -DATA_DIRS[((i++))]="queue/cluster" -DATA_DIRS[((i++))]="queue/rids" -DATA_DIRS[((i++))]="queue/fts" -DATA_DIRS[((i++))]="var/multigroups" -export DATA_DIRS From 35f958a25c56712c3d004055b7ab9534d8ff6900 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 15 Jun 2020 18:17:09 +0200 Subject: [PATCH 039/156] Save agentless state --- docker-compose.yml | 2 ++ wazuh/config/permanent_data.env | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 46ef19be..3bac019c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,6 +19,7 @@ services: - ossec_var_multigroups:/var/ossec/var/multigroups - ossec_integrations:/var/ossec/integrations - ossec_active_response:/var/ossec/active-response/bin + - ossec_agentless:/var/ossec/agentless - ossec_wodles:/var/ossec/wodles - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat @@ -68,6 +69,7 @@ volumes: ossec_var_multigroups: ossec_integrations: ossec_active_response: + ossec_agentless: ossec_wodles: filebeat_etc: filebeat_var: diff --git a/wazuh/config/permanent_data.env b/wazuh/config/permanent_data.env index b19409ac..ca461d63 100644 --- a/wazuh/config/permanent_data.env +++ b/wazuh/config/permanent_data.env @@ -4,6 +4,7 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration" PERMANENT_DATA[((i++))]="/var/ossec/etc" PERMANENT_DATA[((i++))]="/var/ossec/logs" PERMANENT_DATA[((i++))]="/var/ossec/queue" +PERMANENT_DATA[((i++))]="/var/ossec/agentless" PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups" PERMANENT_DATA[((i++))]="/var/ossec/integrations" PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin" @@ -36,6 +37,18 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs" From be81cf9593692c3ad06407c6ab28541e8ce040dc Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 18 Jun 2020 12:34:19 +0200 Subject: [PATCH 040/156] Bump S6-overlay version --- wazuh/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 45344ded..c1d7fa89 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -30,7 +30,7 @@ RUN curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com RUN curl -s https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module -ARG S6_VERSION="v1.22.1.0" +ARG S6_VERSION="v2.0.0.1" RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ -o /tmp/s6-overlay-amd64.tar.gz && \ tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ From f3bcb7f6e1f7b5c32334c2d62912e382bb43f259 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 16 Apr 2020 20:09:23 +0200 Subject: [PATCH 041/156] User original ES image --- docker-compose.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3bac019c..37a557fe 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -23,21 +23,24 @@ services: - ossec_wodles:/var/ossec/wodles - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat + elasticsearch: - build: elasticsearch + image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 hostname: elasticsearch restart: always ports: - "9200:9200" + - "9300:9300" environment: - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - - ELASTIC_CLUSTER=true - - CLUSTER_NODE_MASTER=true - - CLUSTER_MASTER_NODE_NAME=es01 + - node.name=es01 + - node.master=true + - cluster.initial_master_nodes=es01 ulimits: memlock: soft: -1 hard: -1 + kibana: build: kibana hostname: kibana @@ -47,6 +50,7 @@ services: links: - elasticsearch:elasticsearch - wazuh:wazuh + nginx: image: nginx:stable hostname: nginx From 8ebd2b2609bac6b98bcfba2fe4ee482e42d30f4e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 16 Apr 2020 20:18:40 +0200 Subject: [PATCH 042/156] Disable swapping --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index 37a557fe..7b55efd1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -33,6 +33,7 @@ services: - "9300:9300" environment: - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - bootstrap.memory_lock=true - node.name=es01 - node.master=true - cluster.initial_master_nodes=es01 From 5a0865da0bdde51aeb54decf615f2e4d2dc730cc Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Fri, 17 Apr 2020 18:51:44 +0200 Subject: [PATCH 043/156] Port config behavior from latest version --- kibana/config/wazuh_app_config.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh index ea09b23d..cae2dcef 100644 --- a/kibana/config/wazuh_app_config.sh +++ b/kibana/config/wazuh_app_config.sh @@ -6,7 +6,9 @@ wazuh_port="${API_PORT:-55000}" api_user="${API_USER:-foo}" api_password="${API_PASS:-bar}" -kibana_config_file="/usr/share/kibana/plugins/wazuh/wazuh.yml" +kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" +mkdir -p /usr/share/kibana/optimize/wazuh/config/ +touch $kibana_config_file declare -A CONFIG_MAP=( [pattern]=$PATTERN @@ -53,7 +55,8 @@ grep -q 1513629884013 $kibana_config_file _config_exists=$? if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then -cat << EOF >> $kibana_config_file +cat << EOF > $kibana_config_file +hosts: - 1513629884013: url: $wazuh_url port: $wazuh_port From 701386d5a31d0e00f3f83e7ec0499288fc0ed28f Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Fri, 17 Apr 2020 18:52:02 +0200 Subject: [PATCH 044/156] Set discovery single node --- docker-compose.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 7b55efd1..c5ecdb13 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -34,9 +34,7 @@ services: environment: - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - bootstrap.memory_lock=true - - node.name=es01 - - node.master=true - - cluster.initial_master_nodes=es01 + - discovery.type=single-node ulimits: memlock: soft: -1 From 68c1fb171fca213305350087eff9fed53a505c0e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Fri, 17 Apr 2020 19:29:45 +0200 Subject: [PATCH 045/156] Remove elastic container --- elasticsearch/Dockerfile | 54 ------------- elasticsearch/config/config_cluster.sh | 57 -------------- elasticsearch/config/configure_s3.sh | 77 ------------------ elasticsearch/config/entrypoint.sh | 52 ------------- elasticsearch/config/load_settings.sh | 103 ------------------------- 5 files changed, 343 deletions(-) delete mode 100644 elasticsearch/Dockerfile delete mode 100644 elasticsearch/config/config_cluster.sh delete mode 100644 elasticsearch/config/configure_s3.sh delete mode 100644 elasticsearch/config/entrypoint.sh delete mode 100644 elasticsearch/config/load_settings.sh diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile deleted file mode 100644 index 13656b2d..00000000 --- a/elasticsearch/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -ARG ELASTIC_VERSION=7.6.2 -FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} -ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip" - -ENV ELASTICSEARCH_URL="http://elasticsearch:9200" - -ENV ALERTS_SHARDS="1" \ - ALERTS_REPLICAS="0" - -ENV API_USER="foo" \ - API_PASS="bar" - -ENV XPACK_ML="true" - -ENV ENABLE_CONFIGURE_S3="false" - -ARG TEMPLATE_VERSION=v3.12.2 - -# Elasticearch cluster configuration environment variables -# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration -# CLUSTER_INITIAL_MASTER_NODES set to own node by default. -ENV ELASTIC_CLUSTER="false" \ - CLUSTER_NAME="wazuh" \ - CLUSTER_NODE_MASTER="false" \ - CLUSTER_NODE_DATA="true" \ - CLUSTER_NODE_INGEST="true" \ - CLUSTER_NODE_NAME="wazuh-elasticsearch" \ - CLUSTER_MASTER_NODE_NAME="master-node" \ - CLUSTER_MEMORY_LOCK="true" \ - CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \ - CLUSTER_NUMBER_OF_MASTERS="2" \ - CLUSTER_MAX_NODES="1" \ - CLUSTER_DELAYED_TIMEOUT="1m" \ - CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" - -COPY config/entrypoint.sh /entrypoint.sh - -RUN chmod 755 /entrypoint.sh - -COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./ - -RUN chmod +x ./load_settings.sh - -RUN ${bin/elasticsearch-plugin install --batch S3_PLUGIN_URL} - -COPY config/configure_s3.sh ./config/configure_s3.sh -RUN chmod 755 ./config/configure_s3.sh - -COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./ -RUN chmod +x ./config_cluster.sh - -ENTRYPOINT ["/entrypoint.sh"] -CMD ["elasticsearch"] diff --git a/elasticsearch/config/config_cluster.sh b/elasticsearch/config/config_cluster.sh deleted file mode 100644 index e58b423c..00000000 --- a/elasticsearch/config/config_cluster.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" - -remove_single_node_conf(){ - if grep -Fq "discovery.type" $1; then - sed -i '/discovery.type\: /d' $1 - fi -} - -remove_cluster_config(){ - sed -i '/# cluster node/,/# end cluster config/d' $1 -} - -# If Elasticsearch cluster is enabled, then set up the elasticsearch.yml -if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then - # Remove the old configuration - remove_single_node_conf $elastic_config_file - remove_cluster_config $elastic_config_file - -if [[ $CLUSTER_NODE_MASTER == "true" ]]; then -# Add the master configuration -# cluster.initial_master_nodes for bootstrap the cluster -cat > $elastic_config_file << EOF -# cluster node -network.host: 0.0.0.0 -node.name: $CLUSTER_MASTER_NODE_NAME -node.master: $CLUSTER_NODE_MASTER -cluster.initial_master_nodes: - - $CLUSTER_MASTER_NODE_NAME -# end cluster config" -EOF - -elif [[ $CLUSTER_NODE_NAME != "" ]];then -# Remove the old configuration -remove_single_node_conf $elastic_config_file -remove_cluster_config $elastic_config_file - -cat > $elastic_config_file << EOF -# cluster node -network.host: 0.0.0.0 -node.name: $CLUSTER_NODE_NAME -node.master: false -discovery.seed_hosts: - - $CLUSTER_MASTER_NODE_NAME - - $CLUSTER_NODE_NAME -# end cluster config" -EOF -fi -# If the cluster is disabled, then set a single-node configuration -else - # Remove the old configuration - remove_single_node_conf $elastic_config_file - remove_cluster_config $elastic_config_file - echo "discovery.type: single-node" >> $elastic_config_file -fi diff --git a/elasticsearch/config/configure_s3.sh b/elasticsearch/config/configure_s3.sh deleted file mode 100644 index 010236ce..00000000 --- a/elasticsearch/config/configure_s3.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -set -e - -# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error. -# param 1: number of arguments passed to configure_s3.sh - -function CheckArgs() -{ - if [ $1 != 4 ] && [ $1 != 5 ];then - echo "Use: configure_s3.sh (By default is added to the path and the repository name)" - echo "or use: configure_s3.sh " - exit 1 - - fi -} - -# Create S3 repository from base_path / (if there is no argument, current version is added) -# Repository name would be - (if there is no argument, current version is added) -# param 1: -# param 2: -# param 3: -# param 4: -# param 5: Optional -# output: It will show "acknowledged" if the repository has been successfully created - -function CreateRepo() -{ - - elastic_ip_port="$2" - bucket_name="$3" - path="$4" - repository_name="$5" - - if [ $1 == 5 ];then - version="$6" - else - version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1` - fi - - if ! [[ "$version" =~ ^[0-9]+$ ]];then - echo "Elasticsearch major version must be an integer" - exit 1 - fi - - repository="$repository_name-$version" - s3_path="$path/$version" - - curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' - { - "type": "s3", - "settings": { - "bucket": "'$bucket_name'", - "base_path": "'$s3_path'" - } - } - ' - -} - -# Run functions CheckArgs and CreateRepo -# param 1: number of arguments passed to configure_s3.sh -# param 2: -# param 3: -# param 4: -# param 5: -# param 6: Optional - -function Main() -{ - CheckArgs $1 - - CreateRepo $1 $2 $3 $4 $5 $6 -} - -Main $# $1 $2 $3 $4 $5 diff --git a/elasticsearch/config/entrypoint.sh b/elasticsearch/config/entrypoint.sh deleted file mode 100644 index cfeb7705..00000000 --- a/elasticsearch/config/entrypoint.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh - -set -e - -# Files created by Elasticsearch should always be group writable too -umask 0002 - -run_as_other_user_if_needed() { - if [[ "$(id -u)" == "0" ]]; then - # If running as root, drop to specified UID and run command - exec chroot --userspec=1000 / "${@}" - else - # Either we are running in Openshift with random uid and are a member of the root group - # or with a custom --user - exec "${@}" - fi -} - - -#Disabling xpack features - -elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" -if grep -Fq "#xpack features" "$elasticsearch_config_file"; -then - declare -A CONFIG_MAP=( - [xpack.ml.enabled]=$XPACK_ML - ) - for i in "${!CONFIG_MAP[@]}" - do - if [ "${CONFIG_MAP[$i]}" != "" ]; then - sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file - fi - done -else - echo " -#xpack features -xpack.ml.enabled: $XPACK_ML - " >> $elasticsearch_config_file -fi - -# Run load settings script. - -./config_cluster.sh - -./load_settings.sh & - -# Execute elasticsearch - -run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch diff --git a/elasticsearch/config/load_settings.sh b/elasticsearch/config/load_settings.sh deleted file mode 100644 index 2754b84f..00000000 --- a/elasticsearch/config/load_settings.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -set -e - -el_url=${ELASTICSEARCH_URL} - -if [ "x${WAZUH_API_URL}" = "x" ]; then - wazuh_url="https://wazuh" -else - wazuh_url="${WAZUH_API_URL}" -fi - -if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then - auth="" -else - auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" -fi - -until curl ${auth} -XGET $el_url; do - >&2 echo "Elastic is unavailable - sleeping" - sleep 5 -done - ->&2 echo "Elastic is up - executing command" - -if [ $ENABLE_CONFIGURE_S3 ]; then - #Wait for Elasticsearch to be ready to create the repository - sleep 10 - IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" - - if [ "x$S3_PATH" != "x" ]; then - - if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then - ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR - - else - ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME - - fi - - fi - -fi - -#Insert default templates - -API_PASS_Q=`echo "$API_PASS" | tr -d '"'` -API_USER_Q=`echo "$API_USER" | tr -d '"'` -API_PASSWORD=`echo -n $API_PASS_Q | base64` - -echo "Setting API credentials into Wazuh APP" -CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) - -if [ "x$CONFIG_CODE" != "x200" ]; then - curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d' - { - "api_user": "'"$API_USER_Q"'", - "api_password": "'"$API_PASSWORD"'", - "url": "'"$wazuh_url"'", - "api_port": "55000", - "insecure": "true", - "component": "API", - "cluster_info": { - "manager": "wazuh-manager", - "cluster": "Disabled", - "status": "disabled" - }, - "extensions": { - "oscap": true, - "audit": true, - "pci": true, - "aws": true, - "virustotal": true, - "gdpr": true, - "ciscat": true - } - } - ' > /dev/null -else - echo "Wazuh APP already configured" -fi -sleep 5 - -curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d' -{ - "persistent": { - "xpack.monitoring.collection.enabled": true - } -} -' - -# Set cluster delayed timeout when node falls -curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d' -{ - "settings": { - "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'" - } -} -' - - -echo "Elasticsearch is ready." From feb12837e8cf466236112f89be81c555d414b61d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Fri, 17 Apr 2020 19:30:16 +0200 Subject: [PATCH 046/156] Mount elastic conf --- docker-compose.yml | 2 ++ elastic_conf/elasticsearch.yml | 3 +++ 2 files changed, 5 insertions(+) create mode 100644 elastic_conf/elasticsearch.yml diff --git a/docker-compose.yml b/docker-compose.yml index c5ecdb13..4d8d8015 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,6 +39,8 @@ services: memlock: soft: -1 hard: -1 + volumes: + - ./elastic_conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml kibana: build: kibana diff --git a/elastic_conf/elasticsearch.yml b/elastic_conf/elasticsearch.yml new file mode 100644 index 00000000..a7b1d6a5 --- /dev/null +++ b/elastic_conf/elasticsearch.yml @@ -0,0 +1,3 @@ +cluster.name: wazuh-elastic +network.host: 0.0.0.0 + From c8c0e84ed87c4980ae02954bea23861531c54d39 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Fri, 17 Apr 2020 19:48:30 +0200 Subject: [PATCH 047/156] Remove port 93000 --- docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 4d8d8015..6d961f0e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,7 +30,6 @@ services: restart: always ports: - "9200:9200" - - "9300:9300" environment: - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - bootstrap.memory_lock=true From d2b06568088cd9f7b820c460390e643597d83af9 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 18 Jun 2020 18:27:48 +0200 Subject: [PATCH 048/156] Add HTTP auth to curl if required --- kibana/config/kibana_settings.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index adb968e0..2e53037d 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -44,7 +44,12 @@ else kibana_ip="kibana" fi -while [[ "$(curl -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do +# Add auth headers if required +if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then + curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" +fi + +while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done From b90fc8053e38dc1bdbdcf4f7dc292ba8cf34bd0d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 19 Jun 2020 12:11:52 +0200 Subject: [PATCH 049/156] Bump versions to 3.12.3_7.7.1 --- docker-compose.yml | 2 +- kibana/Dockerfile | 6 +++--- wazuh/Dockerfile | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6d961f0e..e537c5f5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -25,7 +25,7 @@ services: - filebeat_var:/var/lib/filebeat elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.7.1 hostname: elasticsearch restart: always ports: diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 5e7c2f58..38bfdded 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,8 +1,8 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:7.6.2 +FROM docker.elastic.co/kibana/kibana:7.7.1 USER kibana -ARG ELASTIC_VERSION=7.6.2 -ARG WAZUH_VERSION=3.12.2 +ARG ELASTIC_VERSION=7.7.1 +ARG WAZUH_VERSION=3.12.3 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index c1d7fa89..d21c43c4 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,9 +1,9 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) FROM centos:7 -ARG FILEBEAT_VERSION=7.6.2 -ARG WAZUH_VERSION=3.12.2-1 -ARG TEMPLATE_VERSION="v3.12.2" +ARG FILEBEAT_VERSION=7.7.1 +ARG WAZUH_VERSION=3.12.3-1 +ARG TEMPLATE_VERSION="v3.12.3" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" ENV API_USER="foo" \ From 79c4734801a1d5b8c9443c09888349e824302e0e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 22 Jul 2020 18:10:14 +0200 Subject: [PATCH 050/156] Bump version to 3.13.1_7.8.0 --- CHANGELOG.md | 26 ++++++++++++++++++++++++++ VERSION | 4 ++-- docker-compose.yml | 2 +- kibana/Dockerfile | 6 +++--- wazuh/Dockerfile | 6 +++--- 5 files changed, 35 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d683dfd..721d2cf1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,32 @@ # Change Log All notable changes to this project will be documented in this file. +# Change Log +All notable changes to this project will be documented in this file. + +## Wazuh Docker v3.13.1_7.8.0 + +### Added + +- Update to Wazuh version 3.13.1_7.8.0 + +## Wazuh Docker v3.13.0_7.7.1 + +### Added + +- Update to Wazuh version 3.13.3_7.7.1 + +### Fixed + +- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350) +- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356) + +## Wazuh Docker v3.12.3_7.6.2 + +### Added + +- Update to Wazuh version 3.12.3_7.6.2 + ## Wazuh Docker v3.12.2_7.6.2 ### Added diff --git a/VERSION b/VERSION index a6f084f7..23662729 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="3.12.2_7.6.2" -REVISION="31220" +WAZUH-DOCKER_VERSION="3.13.1_7.8.0" +REVISION="31310" diff --git a/docker-compose.yml b/docker-compose.yml index e537c5f5..cd8f90ff 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -25,7 +25,7 @@ services: - filebeat_var:/var/lib/filebeat elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.7.1 + image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0 hostname: elasticsearch restart: always ports: diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 38bfdded..12fffd72 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,8 +1,8 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:7.7.1 +FROM docker.elastic.co/kibana/kibana:7.8.0 USER kibana -ARG ELASTIC_VERSION=7.7.1 -ARG WAZUH_VERSION=3.12.3 +ARG ELASTIC_VERSION=7.8.0 +ARG WAZUH_VERSION=3.13.1 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index d21c43c4..ecd0855a 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,9 +1,9 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) FROM centos:7 -ARG FILEBEAT_VERSION=7.7.1 -ARG WAZUH_VERSION=3.12.3-1 -ARG TEMPLATE_VERSION="v3.12.3" +ARG FILEBEAT_VERSION=7.8.0 +ARG WAZUH_VERSION=3.13.1-1 +ARG TEMPLATE_VERSION="v3.13.1" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" ENV API_USER="foo" \ From 67e259a681005ba3ab25f378b1129c2f2a999e80 Mon Sep 17 00:00:00 2001 From: manuasir Date: Thu, 30 Jul 2020 00:16:02 +0200 Subject: [PATCH 051/156] Merge branch 'feature-github-actions' into devel-rework --- .github/workflows/push.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/push.yml diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 00000000..b427cf4b --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,14 @@ +name: Wazuh Docker pipeline + +on: [push] + +jobs: + build-stack: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v2 + - name: Build the docker-compose stack + run: docker-compose up -d --build + - name: Check running containers + run: docker ps -a From d8b186aa52e77ea0de36716ba3b165dd5bc59346 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 18 Aug 2020 16:29:55 +0200 Subject: [PATCH 052/156] Add wazuh image using filebeat-oss --- wazuh-opendistro/Dockerfile | 59 +++++ .../config/etc/cont-init.d/0-wazuh-init | 232 ++++++++++++++++++ .../config/etc/cont-init.d/1-config-filebeat | 29 +++ .../config/etc/cont-init.d/2-manager | 3 + .../config/etc/services.d/api/finish | 6 + .../config/etc/services.d/api/run | 4 + .../config/etc/services.d/filebeat/finish | 6 + .../config/etc/services.d/filebeat/run | 4 + wazuh-opendistro/config/filebeat.yml | 21 ++ wazuh-opendistro/config/permanent_data.env | 74 ++++++ wazuh-opendistro/config/permanent_data.sh | 40 +++ wazuh-opendistro/config/wazuh.repo | 7 + 12 files changed, 485 insertions(+) create mode 100644 wazuh-opendistro/Dockerfile create mode 100644 wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init create mode 100644 wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat create mode 100644 wazuh-opendistro/config/etc/cont-init.d/2-manager create mode 100644 wazuh-opendistro/config/etc/services.d/api/finish create mode 100644 wazuh-opendistro/config/etc/services.d/api/run create mode 100644 wazuh-opendistro/config/etc/services.d/filebeat/finish create mode 100644 wazuh-opendistro/config/etc/services.d/filebeat/run create mode 100644 wazuh-opendistro/config/filebeat.yml create mode 100644 wazuh-opendistro/config/permanent_data.env create mode 100644 wazuh-opendistro/config/permanent_data.sh create mode 100644 wazuh-opendistro/config/wazuh.repo diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile new file mode 100644 index 00000000..1add03c0 --- /dev/null +++ b/wazuh-opendistro/Dockerfile @@ -0,0 +1,59 @@ +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +FROM centos:7 + +ARG FILEBEAT_VERSION=7.8.0 +ARG WAZUH_VERSION=3.13.1-1 +ARG TEMPLATE_VERSION="v3.13.1" +ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" + +ENV API_USER="foo" \ + API_PASS="bar" + + +# Set repositories. +RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH + +COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo + +RUN yum --enablerepo=updates clean metadata && \ + yum -y install openssl which && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ + curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - && \ + yum -y install nodejs && yum -y install wazuh-api-${WAZUH_VERSION} && \ + sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ + yum clean all && rm -rf /var/cache/yum + +RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ + rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm + +RUN curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/elasticsearch/7.x/wazuh-template.json &&\ + chmod go+r /etc/filebeat/wazuh-template.json + +RUN curl -s https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module + +ARG S6_VERSION="v2.0.0.1" +RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ + -o /tmp/s6-overlay-amd64.tar.gz && \ + tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ + tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \ + rm /tmp/s6-overlay-amd64.tar.gz + +COPY config/filebeat.yml /etc/filebeat/ + +RUN chmod go-w /etc/filebeat/filebeat.yml + +ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat +RUN chmod go-w /etc/filebeat/wazuh-template.json + +COPY config/etc/ /etc/ + +# Prepare permanent data +# Sync calls are due to https://github.com/docker/docker/issues/9547 +COPY config/permanent_data.env config/permanent_data.sh / +RUN chmod 755 /permanent_data.sh && \ + sync && /permanent_data.sh && \ + sync && rm /permanent_data.sh + +# Services ports +EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp + +ENTRYPOINT [ "/init" ] diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init new file mode 100644 index 00000000..b0cbd001 --- /dev/null +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -0,0 +1,232 @@ +#!/usr/bin/with-contenv bash +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +# Variables +source /permanent_data.env + +WAZUH_INSTALL_PATH=/var/ossec +WAZUH_CONFIG_MOUNT=/wazuh-config-mount +AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} +API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} + + +############################################################################## +# Aux functions +############################################################################## +print() { + echo -e $1 +} + +error_and_exit() { + echo "Error executing command: '$1'." + echo 'Exiting.' + exit 1 +} + +exec_cmd() { + eval $1 > /dev/null 2>&1 || error_and_exit "$1" +} + +exec_cmd_stdout() { + eval $1 2>&1 || error_and_exit "$1" +} + + +############################################################################## +# Edit configuration +############################################################################## + +edit_configuration() { # $1 -> setting, $2 -> value + sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" +} + +############################################################################## +# This function will attempt to mount every directory in PERMANENT_DATA +# into the respective path. +# If the path is empty means permanent data volume is also empty, so a backup +# will be copied into it. Otherwise it will not be copied because there is +# already data inside the volume for the specified path. +############################################################################## + +mount_permanent_data() { + for permanent_dir in "${PERMANENT_DATA[@]}"; do + # Check if the path is not empty + if find ${permanent_dir} -mindepth 1 | read; then + print "The path ${permanent_dir} is already mounted" + else + print "Installing ${permanent_dir}" + exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}" + fi + done +} + +############################################################################## +# This function will replace from the permanent data volume every file +# contained in PERMANENT_DATA_EXCP +# Some files as 'internal_options.conf' are saved as permanent data, but +# they must be updated to work properly if wazuh version is changed. +############################################################################## + +apply_exclusion_data() { + for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do + if [ -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ] + then + DIR=$(dirname "${exclusion_file}") + if [ ! -e ${DIR} ] + then + mkdir -p ${DIR} + fi + + print "Updating ${exclusion_file}" + exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}" + fi + done +} + +############################################################################## +# This function will delete from the permanent data volume every file +# contained in PERMANENT_DATA_DEL +############################################################################## + +remove_data_files() { + for del_file in "${PERMANENT_DATA_DEL[@]}"; do + if [ -e ${del_file} ] + then + print "Removing ${del_file}" + exec_cmd "rm ${del_file}" + fi + done +} + +############################################################################## +# Create certificates: Manager +############################################################################## + +create_ossec_key_cert() { + print "Creating ossec-authd key and cert" + exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096" + exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/" +} + +############################################################################## +# Create certificates: API +############################################################################## + +create_api_key_cert() { + print "Enabling Wazuh API HTTPS" + edit_configuration "https" "yes" + print "Create Wazuh API key and cert" + exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096" + exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/" + + # Granting proper permissions + chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key + chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt +} + +############################################################################## +# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect +# destination files permissions +# +# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at +# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will +# replace the ossec.conf file in /var/ossec/data/etc with yours. +############################################################################## + +mount_files() { + if [ -e "$WAZUH_CONFIG_MOUNT" ] + then + print "Identified Wazuh configuration files to mount..." + exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH" + else + print "No Wazuh configuration files to mount..." + fi +} + +############################################################################## +# Stop OSSEC +############################################################################## + +function ossec_shutdown(){ + ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; +} + +############################################################################## +# Interpret any passed arguments (via docker command to this entrypoint) as +# paths or commands, and execute them. +# +# This can be useful for actions that need to be run before the services are +# started, such as "/var/ossec/bin/ossec-control enable agentless". +############################################################################## + +docker_custom_args() { + for CUSTOM_COMMAND in "$@" + do + echo "Executing command \`${CUSTOM_COMMAND}\`" + exec_cmd_stdout "${CUSTOM_COMMAND}" + done +} + +############################################################################## +# Change Wazuh API user credentials. +############################################################################## + +change_api_user_credentials() { + pushd /var/ossec/api/configuration/auth/ + echo "Change Wazuh API user credentials" + change_user="node htpasswd -b -c user $API_USER $API_PASS" + eval $change_user + popd +} + + +############################################################################## +# Main function +############################################################################## + +main() { + # Mount permanent data (i.e. ossec.conf) + mount_permanent_data + + # Restore files stored in permanent data that are not permanent (i.e. internal_options.conf) + apply_exclusion_data + + # Remove some files in permanent_data (i.e. .template.db) + remove_data_files + + # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist + if [ $AUTO_ENROLLMENT_ENABLED == true ] + then + if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ] + then + create_ossec_key_cert + fi + fi + + # Generate API certs if API_GENERATE_CERTS is true and does not exist + if [ $API_GENERATE_CERTS == true ] + then + if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ] + then + create_api_key_cert + fi + fi + + # Mount selected files (WAZUH_CONFIG_MOUNT) to container + mount_files + + # Trap exit signals and do a proper shutdown + trap "ossec_shutdown; exit" SIGINT SIGTERM + + # Execute custom args + docker_custom_args + + # Change API user credentials + change_api_user_credentials + + # Delete temporary data folder + rm -rf ${WAZUH_INSTALL_PATH}/data_tmp + +} + +main diff --git a/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat b/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat new file mode 100644 index 00000000..2f744915 --- /dev/null +++ b/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat @@ -0,0 +1,29 @@ +#!/usr/bin/with-contenv bash +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +set -e + +if [ "$ELASTICSEARCH_URL" != "" ]; then + >&2 echo "Customize Elasticsearch ouput IP" + sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml +fi + +# Configure filebeat.yml security settings + +if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then + >&2 echo "Configuring Certificate Authorities." + sed -i 's|#ssl.certificate_authorities:|'ssl.certificate_authorities:\ [\"$SSL_CERTIFICATE_AUTHORITIES\"]'|g' /etc/filebeat/filebeat.yml +fi + +if [ "$USERNAME" != "" ]; then + >&2 echo "Configuring username." + sed -i 's|#username:|'username:\ \"$USERNAME\"'|g' /etc/filebeat/filebeat.yml +fi + +if [ "$PASSWORD" != "" ]; then + >&2 echo "Configuring password." + sed -i 's|#password:|'password:\ \"$PASSWORD\"'|g' /etc/filebeat/filebeat.yml +fi + +chmod go-w /etc/filebeat/filebeat.yml || true +chown root: /etc/filebeat/filebeat.yml || true diff --git a/wazuh-opendistro/config/etc/cont-init.d/2-manager b/wazuh-opendistro/config/etc/cont-init.d/2-manager new file mode 100644 index 00000000..e548e8b1 --- /dev/null +++ b/wazuh-opendistro/config/etc/cont-init.d/2-manager @@ -0,0 +1,3 @@ +#!/usr/bin/with-contenv bash + +/var/ossec/bin/ossec-control start diff --git a/wazuh-opendistro/config/etc/services.d/api/finish b/wazuh-opendistro/config/etc/services.d/api/finish new file mode 100644 index 00000000..38d744d1 --- /dev/null +++ b/wazuh-opendistro/config/etc/services.d/api/finish @@ -0,0 +1,6 @@ +#!/usr/bin/env sh +echo >&2 "API exited. code=${1}" + +# terminate other services to exit from the container +exec s6-svscanctl -t /var/run/s6/services + diff --git a/wazuh-opendistro/config/etc/services.d/api/run b/wazuh-opendistro/config/etc/services.d/api/run new file mode 100644 index 00000000..e6e3e831 --- /dev/null +++ b/wazuh-opendistro/config/etc/services.d/api/run @@ -0,0 +1,4 @@ +#!/usr/bin/with-contenv sh +echo >&2 "starting API" + +exec /bin/node /var/ossec/api/app.js diff --git a/wazuh-opendistro/config/etc/services.d/filebeat/finish b/wazuh-opendistro/config/etc/services.d/filebeat/finish new file mode 100644 index 00000000..8813eb67 --- /dev/null +++ b/wazuh-opendistro/config/etc/services.d/filebeat/finish @@ -0,0 +1,6 @@ +#!/usr/bin/env sh +echo >&2 "Filebeat exited. code=${1}" + +# terminate other services to exit from the container +exec s6-svscanctl -t /var/run/s6/services + diff --git a/wazuh-opendistro/config/etc/services.d/filebeat/run b/wazuh-opendistro/config/etc/services.d/filebeat/run new file mode 100644 index 00000000..706ee5af --- /dev/null +++ b/wazuh-opendistro/config/etc/services.d/filebeat/run @@ -0,0 +1,4 @@ +#!/usr/bin/with-contenv sh +echo >&2 "starting Filebeat" + +exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat diff --git a/wazuh-opendistro/config/filebeat.yml b/wazuh-opendistro/config/filebeat.yml new file mode 100644 index 00000000..0d04bac8 --- /dev/null +++ b/wazuh-opendistro/config/filebeat.yml @@ -0,0 +1,21 @@ + +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false + +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.template.overwrite: true +setup.ilm.enabled: false +output.elasticsearch: + hosts: ['http://elasticsearch:9200'] + #ssl.certificate_authorities: + #ssl.certificate: + #ssl.key: + #username: + #password: diff --git a/wazuh-opendistro/config/permanent_data.env b/wazuh-opendistro/config/permanent_data.env new file mode 100644 index 00000000..ca461d63 --- /dev/null +++ b/wazuh-opendistro/config/permanent_data.env @@ -0,0 +1,74 @@ +# Permanent data mounted in volumes +i=0 +PERMANENT_DATA[((i++))]="/var/ossec/api/configuration" +PERMANENT_DATA[((i++))]="/var/ossec/etc" +PERMANENT_DATA[((i++))]="/var/ossec/logs" +PERMANENT_DATA[((i++))]="/var/ossec/queue" +PERMANENT_DATA[((i++))]="/var/ossec/agentless" +PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups" +PERMANENT_DATA[((i++))]="/var/ossec/integrations" +PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin" +PERMANENT_DATA[((i++))]="/var/ossec/wodles" +PERMANENT_DATA[((i++))]="/etc/filebeat" +export PERMANENT_DATA + +# Files mounted in a volume that should not be permanent +i=0 +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-redhat-6-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-redhat-7-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-centos-6-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-centos-7-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-fedora-24-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-rhel-6-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-rhel-7-ds.xml" +export PERMANENT_DATA_EXCP + +# Files mounted in a volume that should be deleted +i=0 +PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db" +export PERMANENT_DATA_DEL diff --git a/wazuh-opendistro/config/permanent_data.sh b/wazuh-opendistro/config/permanent_data.sh new file mode 100644 index 00000000..7dfaa647 --- /dev/null +++ b/wazuh-opendistro/config/permanent_data.sh @@ -0,0 +1,40 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +# Variables +source /permanent_data.env + +WAZUH_INSTALL_PATH=/var/ossec +DATA_TMP_PATH=${WAZUH_INSTALL_PATH}/data_tmp +mkdir ${DATA_TMP_PATH} + +# Move exclusion files to EXCLUSION_PATH +EXCLUSION_PATH=${DATA_TMP_PATH}/exclusion +mkdir ${EXCLUSION_PATH} + +for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do + # Create the directory for the exclusion file if it does not exist + DIR=$(dirname "${exclusion_file}") + if [ ! -e ${EXCLUSION_PATH}/${DIR} ] + then + mkdir -p ${EXCLUSION_PATH}/${DIR} + fi + + mv ${exclusion_file} ${EXCLUSION_PATH}/${exclusion_file} +done + +# Move permanent files to PERMANENT_PATH +PERMANENT_PATH=${DATA_TMP_PATH}/permanent +mkdir ${PERMANENT_PATH} + +for permanent_dir in "${PERMANENT_DATA[@]}"; do + # Create the directory for the permanent file if it does not exist + DIR=$(dirname "${permanent_dir}") + if [ ! -e ${PERMANENT_PATH}${DIR} ] + then + mkdir -p ${PERMANENT_PATH}${DIR} + fi + + mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir} + +done diff --git a/wazuh-opendistro/config/wazuh.repo b/wazuh-opendistro/config/wazuh.repo new file mode 100644 index 00000000..ae462c62 --- /dev/null +++ b/wazuh-opendistro/config/wazuh.repo @@ -0,0 +1,7 @@ +[wazuh_repo] +gpgcheck=1 +gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://packages.wazuh.com/3.x/yum/ +protect=1 From 9e87c1b597e31192beb08181e262f3073d87b13d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 18 Aug 2020 17:04:12 +0200 Subject: [PATCH 053/156] Add initial support for kibana-opendistro --- kibana-opendistro/Dockerfile | 60 ++++++++++++++++ kibana-opendistro/config/entrypoint.sh | 53 ++++++++++++++ kibana-opendistro/config/kibana_settings.sh | 76 ++++++++++++++++++++ kibana-opendistro/config/wazuh_app_config.sh | 67 +++++++++++++++++ kibana-opendistro/config/welcome_wazuh.sh | 24 +++++++ 5 files changed, 280 insertions(+) create mode 100644 kibana-opendistro/Dockerfile create mode 100644 kibana-opendistro/config/entrypoint.sh create mode 100644 kibana-opendistro/config/kibana_settings.sh create mode 100644 kibana-opendistro/config/wazuh_app_config.sh create mode 100644 kibana-opendistro/config/welcome_wazuh.sh diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile new file mode 100644 index 00000000..4b4ba99f --- /dev/null +++ b/kibana-opendistro/Dockerfile @@ -0,0 +1,60 @@ +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +FROM amazon/opendistro-for-elasticsearch-kibana:1.9.0 +USER kibana +ARG ELASTIC_VERSION=7.8.0 +ARG WAZUH_VERSION=3.13.1 +ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" + +WORKDIR /usr/share/kibana +RUN ./bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip + +WORKDIR / +USER root +COPY config/entrypoint.sh ./entrypoint.sh +RUN chmod 755 ./entrypoint.sh + +ENV PATTERN="" \ + CHECKS_PATTERN="" \ + CHECKS_TEMPLATE="" \ + CHECKS_API="" \ + CHECKS_SETUP="" \ + EXTENSIONS_PCI="" \ + EXTENSIONS_GDPR="" \ + EXTENSIONS_AUDIT="" \ + EXTENSIONS_OSCAP="" \ + EXTENSIONS_CISCAT="" \ + EXTENSIONS_AWS="" \ + EXTENSIONS_VIRUSTOTAL="" \ + EXTENSIONS_OSQUERY="" \ + APP_TIMEOUT="" \ + WAZUH_SHARDS="" \ + WAZUH_REPLICAS="" \ + WAZUH_VERSION_SHARDS="" \ + WAZUH_VERSION_REPLICAS="" \ + IP_SELECTOR="" \ + IP_IGNORE="" \ + WAZUH_MONITORING_ENABLED="" \ + WAZUH_MONITORING_FREQUENCY="" \ + WAZUH_MONITORING_SHARDS="" \ + WAZUH_MONITORING_REPLICAS="" \ + ADMIN_PRIVILEGES="" + +ARG CHANGE_WELCOME="false" + +COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ + +RUN chmod +x ./wazuh_app_config.sh + +COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ + +RUN chmod +x ./kibana_settings.sh + +COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./ + +RUN chmod +x ./welcome_wazuh.sh + +RUN ./welcome_wazuh.sh +USER kibana +RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize + +ENTRYPOINT ./entrypoint.sh diff --git a/kibana-opendistro/config/entrypoint.sh b/kibana-opendistro/config/entrypoint.sh new file mode 100644 index 00000000..79039afc --- /dev/null +++ b/kibana-opendistro/config/entrypoint.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +set -e + +############################################################################## +# Waiting for elasticsearch +############################################################################## + +if [ "x${ELASTICSEARCH_URL}" = "x" ]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_URL}" +fi + +auth="" + +until curl -XGET $el_url ${auth}; do + >&2 echo "Elastic is unavailable - sleeping" + sleep 5 +done + +sleep 2 + +>&2 echo "Elasticsearch is up." + + +############################################################################## +# Waiting for wazuh alerts template +############################################################################## + +strlen=0 + +while [[ $strlen -eq 0 ]] +do + template=$(curl $el_url/_cat/templates/wazuh -s) + strlen=${#template} + >&2 echo "Wazuh alerts template not loaded - sleeping." + sleep 2 +done + +sleep 2 + +>&2 echo "Wazuh alerts template is loaded." + + +./wazuh_app_config.sh + +sleep 5 + +./kibana_settings.sh & + +/usr/local/bin/kibana-docker diff --git a/kibana-opendistro/config/kibana_settings.sh b/kibana-opendistro/config/kibana_settings.sh new file mode 100644 index 00000000..0f624725 --- /dev/null +++ b/kibana-opendistro/config/kibana_settings.sh @@ -0,0 +1,76 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +WAZUH_MAJOR=3 + +############################################################################## +# Wait for the Kibana API to start. It is necessary to do it in this container +# because the others are running Elastic Stack and we can not interrupt them. +# +# The following actions are performed: +# +# Add the wazuh alerts index as default. +# Set the Discover time interval to 24 hours instead of 15 minutes. +# Do not ask user to help providing usage statistics to Elastic. +############################################################################## + +############################################################################## +# Customize elasticsearch ip +############################################################################## +if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then + sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml + sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml +fi + +# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate. +if [ "$KIBANA_INDEX" != "" ]; then + if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then + sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml + fi + echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml +fi + +if [ "$KIBANA_IP" != "" ]; then + kibana_ip="$KIBANA_IP" +else + kibana_ip="kibana" +fi + +# Add auth headers if required +if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then + curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" +fi + +while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do + echo "Waiting for Kibana API. Sleeping 5 seconds" + sleep 5 +done + +# Prepare index selection. +echo "Kibana API is running" + +default_index="/tmp/default_index.json" + +cat > ${default_index} << EOF +{ + "changes": { + "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*" + } +} +EOF + +sleep 5 +# Add the wazuh alerts index as default. +curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +rm -f ${default_index} + +sleep 5 +# Configuring Kibana TimePicker. +curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' + +sleep 5 +# Do not ask user to help providing usage statistics to Elastic +curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' + +echo "End settings" diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-opendistro/config/wazuh_app_config.sh new file mode 100644 index 00000000..6d9f05eb --- /dev/null +++ b/kibana-opendistro/config/wazuh_app_config.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +wazuh_url="${WAZUH_API_URL:-https://wazuh}" +wazuh_port="${API_PORT:-55000}" +api_user="${API_USER:-foo}" +api_password="${API_PASS:-bar}" + +kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" +mkdir -p /usr/share/kibana/optimize/wazuh/config/ +touch $kibana_config_file + +declare -A CONFIG_MAP=( + [pattern]=$PATTERN + [checks.pattern]=$CHECKS_PATTERN + [checks.template]=$CHECKS_TEMPLATE + [checks.api]=$CHECKS_API + [checks.setup]=$CHECKS_SETUP + [extensions.pci]=$EXTENSIONS_PCI + [extensions.gdpr]=$EXTENSIONS_GDPR + [extensions.audit]=$EXTENSIONS_AUDIT + [extensions.oscap]=$EXTENSIONS_OSCAP + [extensions.ciscat]=$EXTENSIONS_CISCAT + [extensions.aws]=$EXTENSIONS_AWS + [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL + [extensions.osquery]=$EXTENSIONS_OSQUERY + [timeout]=$APP_TIMEOUT + [wazuh.shards]=$WAZUH_SHARDS + [wazuh.replicas]=$WAZUH_REPLICAS + [wazuh-version.shards]=$WAZUH_VERSION_SHARDS + [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS + [ip.selector]=$IP_SELECTOR + [ip.ignore]=$IP_IGNORE + [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED + [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY + [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS + [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS + [admin]=$ADMIN_PRIVILEGES +) + +for i in "${!CONFIG_MAP[@]}" +do + if [ "${CONFIG_MAP[$i]}" != "" ]; then + sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file + fi +done + +# remove default API entry (new in 3.11.0_7.5.1) +sed -ie '/- default:/,+4d' $kibana_config_file + +CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) + +grep -q 1513629884013 $kibana_config_file +_config_exists=$? + +if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then +cat << EOF > $kibana_config_file +hosts: + - 1513629884013: + url: $wazuh_url + port: $wazuh_port + user: $api_user + password: $api_password +EOF +else + echo "Wazuh APP already configured" +fi diff --git a/kibana-opendistro/config/welcome_wazuh.sh b/kibana-opendistro/config/welcome_wazuh.sh new file mode 100644 index 00000000..98306871 --- /dev/null +++ b/kibana-opendistro/config/welcome_wazuh.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +if [[ $CHANGE_WELCOME == "true" ]] +then + + rm -rf ./optimize/bundles + + kibana_path="/usr/share/kibana" + # Set Wazuh app as the default landing page + echo "Set Wazuh app as the default landing page" + echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml + + # Redirect Kibana welcome screen to Discover + echo "Redirect Kibana welcome screen to Discover" + sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html + sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js + + # Redirect Kibana welcome screen to Discover + echo "Hide undesired links" + sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js +fi + From 09a6e9bc1d3e74909a99923876b9a23993976c2b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 18 Aug 2020 17:04:58 +0200 Subject: [PATCH 054/156] Switch to opendistro images --- docker-compose.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index cd8f90ff..e548edb7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,8 @@ version: '3.7' services: wazuh: - build: wazuh + build: wazuh-opendistro/ + image: wazuh-opendistro hostname: wazuh-manager restart: always ports: @@ -25,24 +26,23 @@ services: - filebeat_var:/var/lib/filebeat elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0 + image: amazon/opendistro-for-elasticsearch:1.9.0 hostname: elasticsearch restart: always ports: - "9200:9200" environment: - - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - - bootstrap.memory_lock=true - discovery.type=single-node + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true ulimits: memlock: soft: -1 hard: -1 - volumes: - - ./elastic_conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml kibana: - build: kibana + build: kibana-opendistro/ + image: wazuh-kibana-opendistro hostname: kibana restart: always depends_on: From 746cffc5496942c19ebefebbdc56b96c73a08ac7 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 19 Aug 2020 16:19:27 +0200 Subject: [PATCH 055/156] Update compose --- docker-compose.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index e548edb7..893e2b8f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -33,8 +33,12 @@ services: - "9200:9200" environment: - discovery.type=single-node + - cluster.name=wazuh-cluster + - network.host=0.0.0.0 - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - bootstrap.memory_lock=true + volumes: + - ./elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml ulimits: memlock: soft: -1 @@ -45,6 +49,10 @@ services: image: wazuh-kibana-opendistro hostname: kibana restart: always + environment: + - ELASTICSEARCH_USERNAME=admin + - ELASTICSEARCH_PASSWORD=SecretPass + - ELASTICSEARCH_KIBANA_IP="https://elasticsearch:9200" depends_on: - elasticsearch links: From 95473050615074346100c05ae2ad64624c6d6a95 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 19 Aug 2020 16:19:49 +0200 Subject: [PATCH 056/156] Add custom welcome --- .../custom_welcome/security-login.style.css | 118 ++++++++++++++++++ .../config/custom_welcome/template.js.hbs | 112 +++++++++++++++++ .../custom_welcome/wazuh_logo_circle.svg | 1 + .../config/custom_welcome/wazuh_wazuh_bg.svg | 1 + 4 files changed, 232 insertions(+) create mode 100644 kibana-opendistro/config/custom_welcome/security-login.style.css create mode 100644 kibana-opendistro/config/custom_welcome/template.js.hbs create mode 100644 kibana-opendistro/config/custom_welcome/wazuh_logo_circle.svg create mode 100644 kibana-opendistro/config/custom_welcome/wazuh_wazuh_bg.svg diff --git a/kibana-opendistro/config/custom_welcome/security-login.style.css b/kibana-opendistro/config/custom_welcome/security-login.style.css new file mode 100644 index 00000000..6648df2b --- /dev/null +++ b/kibana-opendistro/config/custom_welcome/security-login.style.css @@ -0,0 +1,118 @@ +#security-login-app .content { + background: url(./wazuh_wazuh_bg.svg) !important; + width: 100% !important; + height: 100% !important; + background-size: cover !important; +} + +.app-wrapper { + left: 0; +} + +.global-nav.is-global-nav-open+.app-wrapper { + left: 0; +} + +.btn-default { + background-color: #00a9e5!important; + border-color: #00a0e5!important; + color: #ffffff; + padding: 8px; +} + +.btn-default:hover { + background-color: #00a9e5!important; + border-color: #00a0e5!important; + color: #ffffff; +} + +.brand-image-container { + text-align: center; +} + +.brand-image { + display: none; +} + +.login-wrapper { + position: absolute; + width: 430px; + top: 55px; + border-radius: 1px; + padding: 1em; +} + +.login-wrapper .login-title { + text-align: center; + padding-bottom: 10px; + color: #ffffff !important; + font-size: 35px !important; + font-weight: 300; +} + +.login-wrapper .login-subtitle { + text-align: center; + padding-bottom: 15px; + color: #ffffff !important; + font-size: 16px !important; +} + +.login-wrapper .login-form { + padding: 16px; + box-shadow: 0 2px 2px -1px rgba(152, 162, 179, 0.3), 0 1px 5px -2px rgba(152, 162, 179, 0.3); + background-color: #FFF; + border: 1px solid #D3DAE6; + border-radius: 4px; + -webkit-box-flex: 1; + -ms-flex-positive: 1; + flex-grow: 1; + margin-top: 32px; +} + +.login-wrapper .login-form .input-group { + margin-bottom: 1em; +} + +.login-wrapper .login-form .kuiTextInput { + cursor: initial; +} + +.login-wrapper .login-form .kuiTextInput:invalid:not(.ng-touched) { + border-color: #D9D9D9; +} + +.login-wrapper .login-form .kuiTextInput.has-error { + border-color: #A30000; +} + +.login-wrapper .login-form .btn-login { + width: 100%; +} + +.login-wrapper .error-message { + color: #b4251d; + font-size: 14px; + margin-top: 16px; + margin-bottom: 0; + background-color: #f8e9e9; + padding: 8px; + font-weight: 400; + border-left: 2px solid #BD271E; +} + +.loginWelcome__logo { + display: inline-block; + width: 80px; + height: 80px; + line-height: 80px; + text-align: center; + background-color: #FFF; + border-radius: 100%; + padding: 16px; + box-shadow: 0 6px 12px -1px rgba(152, 162, 179, 0.2), 0 4px 4px -1px rgba(152, 162, 179, 0.2), 0 2px 2px 0 rgba(152, 162, 179, 0.2); + margin-bottom: 32px; +} + +.loginWelcome__logo { + background: url(./wazuh_logo_circle.svg) center center no-repeat !important; +} \ No newline at end of file diff --git a/kibana-opendistro/config/custom_welcome/template.js.hbs b/kibana-opendistro/config/custom_welcome/template.js.hbs new file mode 100644 index 00000000..54255bca --- /dev/null +++ b/kibana-opendistro/config/custom_welcome/template.js.hbs @@ -0,0 +1,112 @@ +var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data')); +window.__kbnStrictCsp__ = kbnCsp.strictCsp; +window.__kbnDarkMode__ = {{darkMode}}; +window.__kbnPublicPath__ = {{publicPathMap}}; + +if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) { + var legacyBrowserError = document.getElementById('kbn_legacy_browser_error'); + legacyBrowserError.style.display = 'flex'; +} else { + if (!window.__kbnCspNotEnforced__ && window.console) { + window.console.log("^ A single error about an inline script not firing due to content security policy is expected!"); + } + var loadingMessage = document.getElementById('kbn_loading_message'); + loadingMessage.style.display = 'flex'; + + window.onload = function () { + //WAZUH + var interval = setInterval(() => { + var title = document.getElementsByClassName('login-title'); + if ((title || []).length) { + clearInterval(interval); + title[0].textContent = "Welcome to Wazuh"; + var subtitle = document.getElementsByClassName('login-subtitle'); + subtitle[0].textContent = "The Open Source Security Platform"; + var logo = document.getElementsByClassName('brand-image-container'); + $(logo).append(''); + } + }) + // + + function failure() { + // make subsequent calls to failure() noop + failure = function () {}; + + var err = document.createElement('h1'); + err.style['color'] = 'white'; + err.style['font-family'] = 'monospace'; + err.style['text-align'] = 'center'; + err.style['background'] = '#F44336'; + err.style['padding'] = '25px'; + err.innerText = document.querySelector('[data-error-message]').dataset.errorMessage; + + document.body.innerHTML = err.outerHTML; + } + +var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]') + function loadStyleSheet(url, cb) { + var dom = document.createElement('link'); + dom.rel = 'stylesheet'; + dom.type = 'text/css'; + dom.href = url; + dom.addEventListener('error', failure); + dom.addEventListener('load', cb); + document.head.insertBefore(dom, stylesheetTarget); + } + + var scriptsTarget = document.querySelector('head meta[name="add-scripts-here"]') + function loadScript(url, cb) { + var dom = document.createElement('script'); + {{!-- NOTE: async = false is used to trigger async-download/ordered-execution as outlined here: https://www.html5rocks.com/en/tutorials/speed/script-loading/ --}} + dom.async = false; + dom.src = url; + dom.addEventListener('error', failure); + dom.addEventListener('load', cb); + document.head.insertBefore(dom, scriptsTarget); + } + + function load(urls, cb) { + var pending = urls.length; + urls.forEach(function (url) { + var innerCb = function () { + pending = pending - 1; + if (pending === 0 && typeof cb === 'function') { + cb(); + } + } + + if (typeof url !== 'string') { + load(url, innerCb); + } else if (url.slice(-4) === '.css') { + loadStyleSheet(url, innerCb); + } else { + loadScript(url, innerCb); + } + }); + } + + load([ + {{#each jsDependencyPaths}} + '{{this}}', + {{/each}} + ], function () { + {{#unless legacyBundlePath}} + if (!__kbnBundles__ || !__kbnBundles__['entry/core'] || typeof __kbnBundles__['entry/core'].__kbnBootstrap__ !== 'function') { + console.error('entry/core bundle did not load correctly'); + failure(); + } else { + __kbnBundles__['entry/core'].__kbnBootstrap__() + } + {{/unless}} + + load([ + {{#if legacyBundlePath}} + '{{legacyBundlePath}}', + {{/if}} + {{#each styleSheetPaths}} + '{{this}}', + {{/each}} + ]); + }); + } +} \ No newline at end of file diff --git a/kibana-opendistro/config/custom_welcome/wazuh_logo_circle.svg b/kibana-opendistro/config/custom_welcome/wazuh_logo_circle.svg new file mode 100644 index 00000000..45a61d74 --- /dev/null +++ b/kibana-opendistro/config/custom_welcome/wazuh_logo_circle.svg @@ -0,0 +1 @@ +wazuh_logo_circle \ No newline at end of file diff --git a/kibana-opendistro/config/custom_welcome/wazuh_wazuh_bg.svg b/kibana-opendistro/config/custom_welcome/wazuh_wazuh_bg.svg new file mode 100644 index 00000000..0c49c5c6 --- /dev/null +++ b/kibana-opendistro/config/custom_welcome/wazuh_wazuh_bg.svg @@ -0,0 +1 @@ +wazuh_wazuh_bg \ No newline at end of file From 5079a68fb051e353fe964dadc0d2b72946843e58 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 19 Aug 2020 16:20:44 +0200 Subject: [PATCH 057/156] Copy custom welcome files --- kibana-opendistro/Dockerfile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 4b4ba99f..7dd86ede 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -39,21 +39,18 @@ ENV PATTERN="" \ WAZUH_MONITORING_REPLICAS="" \ ADMIN_PRIVILEGES="" -ARG CHANGE_WELCOME="false" - COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ - RUN chmod +x ./wazuh_app_config.sh COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ - RUN chmod +x ./kibana_settings.sh +COPY ./config/custom_welcome /tmp/custom_welcome COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./ - RUN chmod +x ./welcome_wazuh.sh - +ARG CHANGE_WELCOME="false" RUN ./welcome_wazuh.sh + USER kibana RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize From 9dc2c0f82a84f0f44dec525288d54ed4b86d9819 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 20 Aug 2020 17:02:00 +0200 Subject: [PATCH 058/156] Add extra ssl settings --- wazuh-opendistro/config/filebeat.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/wazuh-opendistro/config/filebeat.yml b/wazuh-opendistro/config/filebeat.yml index 0d04bac8..8a627bf9 100644 --- a/wazuh-opendistro/config/filebeat.yml +++ b/wazuh-opendistro/config/filebeat.yml @@ -13,9 +13,10 @@ setup.template.json.name: 'wazuh' setup.template.overwrite: true setup.ilm.enabled: false output.elasticsearch: - hosts: ['http://elasticsearch:9200'] + hosts: ['https://elasticsearch:9200'] + #username: + #password: + #ssl.verification_mode: #ssl.certificate_authorities: #ssl.certificate: #ssl.key: - #username: - #password: From 727560b2d1d19e00e8cfffc347dc5713bd935a3a Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 20 Aug 2020 17:02:28 +0200 Subject: [PATCH 059/156] Fix logic to setup filebeat.yml --- .../config/etc/cont-init.d/1-config-filebeat | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat b/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat index 2f744915..dae9947f 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat +++ b/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat @@ -5,25 +5,31 @@ set -e if [ "$ELASTICSEARCH_URL" != "" ]; then >&2 echo "Customize Elasticsearch ouput IP" - sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml + sed -i "s|hosts:.*|hosts: ['$ELASTICSEARCH_URL']|g" /etc/filebeat/filebeat.yml fi # Configure filebeat.yml security settings +if [ "$ELASTIC_USERNAME" != "" ]; then + >&2 echo "Configuring username." + sed -i "s|#username:.*|username: '$ELASTIC_USERNAME'|g" /etc/filebeat/filebeat.yml +fi + +if [ "$ELASTIC_PASSWORD" != "" ]; then + >&2 echo "Configuring password." + sed -i "s|#password:.*|password: '$ELASTIC_PASSWORD'|g" /etc/filebeat/filebeat.yml +fi + +if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then + >&2 echo "Configuring SSL verification mode." + sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode: $FILEBEAT_SSL_VERIFICATION_MODE|g" /etc/filebeat/filebeat.yml +fi + if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then >&2 echo "Configuring Certificate Authorities." - sed -i 's|#ssl.certificate_authorities:|'ssl.certificate_authorities:\ [\"$SSL_CERTIFICATE_AUTHORITIES\"]'|g' /etc/filebeat/filebeat.yml + sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml fi -if [ "$USERNAME" != "" ]; then - >&2 echo "Configuring username." - sed -i 's|#username:|'username:\ \"$USERNAME\"'|g' /etc/filebeat/filebeat.yml -fi - -if [ "$PASSWORD" != "" ]; then - >&2 echo "Configuring password." - sed -i 's|#password:|'password:\ \"$PASSWORD\"'|g' /etc/filebeat/filebeat.yml -fi chmod go-w /etc/filebeat/filebeat.yml || true chown root: /etc/filebeat/filebeat.yml || true From c1bcdaf5fb9da13e08190b99f9b02dd58e0bb766 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 20 Aug 2020 17:11:07 +0200 Subject: [PATCH 060/156] Update filebeat config vars --- docker-compose.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 893e2b8f..e6f23646 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,6 +12,11 @@ services: - "1515:1515" - "514:514/udp" - "55000:55000" + environment: + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - ELASTIC_USERNAME=admin + - ELASTIC_PASSWORD=admin + - FILEBEAT_SSL_VERIFICATION_MODE=none volumes: - ossec_api_configuration:/var/ossec/api/configuration - ossec_etc:/var/ossec/etc @@ -37,8 +42,6 @@ services: - network.host=0.0.0.0 - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - bootstrap.memory_lock=true - volumes: - - ./elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml ulimits: memlock: soft: -1 From 8af39e3a568920ab3bfa0c2cf956ddfdb9720363 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 20 Aug 2020 19:01:30 +0200 Subject: [PATCH 061/156] Export variables to share with sub-shell --- kibana-opendistro/config/entrypoint.sh | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/kibana-opendistro/config/entrypoint.sh b/kibana-opendistro/config/entrypoint.sh index 79039afc..cca7c3da 100644 --- a/kibana-opendistro/config/entrypoint.sh +++ b/kibana-opendistro/config/entrypoint.sh @@ -7,13 +7,23 @@ set -e # Waiting for elasticsearch ############################################################################## -if [ "x${ELASTICSEARCH_URL}" = "x" ]; then - el_url="http://elasticsearch:9200" +if [ "x${ELASTICSEARCH_URL}" == "x" ]; then + if [[ ${ENABLED_SECURITY} == "false" ]]; then + export el_url="http://elasticsearch:9200" + else + export el_url="https://elasticsearch:9200" + fi else - el_url="${ELASTICSEARCH_URL}" + export el_url="${ELASTICSEARCH_URL}" fi -auth="" +if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then + auth="" + # remove security plugin from kibana if elasticsearch is not using it either + /usr/share/kibana/bin/kibana-plugin remove opendistro_security +else + export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k" +fi until curl -XGET $el_url ${auth}; do >&2 echo "Elastic is unavailable - sleeping" @@ -33,7 +43,7 @@ strlen=0 while [[ $strlen -eq 0 ]] do - template=$(curl $el_url/_cat/templates/wazuh -s) + template=$(curl ${auth} $el_url/_cat/templates/wazuh -s) strlen=${#template} >&2 echo "Wazuh alerts template not loaded - sleeping." sleep 2 From b1e0f9b35e0b9d3a1e300901192aa615a3a1b802 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 20 Aug 2020 19:02:04 +0200 Subject: [PATCH 062/156] Move auth --- kibana-opendistro/config/wazuh_app_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-opendistro/config/wazuh_app_config.sh index 6d9f05eb..ec16a336 100644 --- a/kibana-opendistro/config/wazuh_app_config.sh +++ b/kibana-opendistro/config/wazuh_app_config.sh @@ -48,7 +48,7 @@ done # remove default API entry (new in 3.11.0_7.5.1) sed -ie '/- default:/,+4d' $kibana_config_file -CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) +CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013) grep -q 1513629884013 $kibana_config_file _config_exists=$? From 6e82f67a9d4e361e47c5a9c9e3b236c59afdd13f Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 21 Aug 2020 15:39:45 +0200 Subject: [PATCH 063/156] Use default password --- docker-compose.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index e6f23646..fa2690cc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -54,8 +54,7 @@ services: restart: always environment: - ELASTICSEARCH_USERNAME=admin - - ELASTICSEARCH_PASSWORD=SecretPass - - ELASTICSEARCH_KIBANA_IP="https://elasticsearch:9200" + - ELASTICSEARCH_PASSWORD=admin depends_on: - elasticsearch links: From 0c6114698615da12dd6abb7d4245d5be728700a7 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 21 Aug 2020 15:40:35 +0200 Subject: [PATCH 064/156] Customize login styles --- kibana-opendistro/config/welcome_wazuh.sh | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/kibana-opendistro/config/welcome_wazuh.sh b/kibana-opendistro/config/welcome_wazuh.sh index 98306871..46aaddfa 100644 --- a/kibana-opendistro/config/welcome_wazuh.sh +++ b/kibana-opendistro/config/welcome_wazuh.sh @@ -3,22 +3,12 @@ if [[ $CHANGE_WELCOME == "true" ]] then - - rm -rf ./optimize/bundles - - kibana_path="/usr/share/kibana" - # Set Wazuh app as the default landing page echo "Set Wazuh app as the default landing page" echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml - # Redirect Kibana welcome screen to Discover - echo "Redirect Kibana welcome screen to Discover" - sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html - sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js - - # Redirect Kibana welcome screen to Discover - echo "Hide undesired links" - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js + echo "Set custom welcome styles" + cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs + cp -f /tmp/custom_welcome/security-login.style.css /usr/share/kibana/optimize/bundles/security-login.style.css + cp -f /tmp/custom_welcome/*svg /usr/share/kibana/optimize/bundles/ fi From e93e67ed6e81feaa699d32c25f7688ba9de786bc Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 21 Aug 2020 15:41:08 +0200 Subject: [PATCH 065/156] Add auth to kibana_settings --- kibana-opendistro/config/kibana_settings.sh | 28 +++++++-------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/kibana-opendistro/config/kibana_settings.sh b/kibana-opendistro/config/kibana_settings.sh index 0f624725..514727a6 100644 --- a/kibana-opendistro/config/kibana_settings.sh +++ b/kibana-opendistro/config/kibana_settings.sh @@ -17,10 +17,9 @@ WAZUH_MAJOR=3 ############################################################################## # Customize elasticsearch ip ############################################################################## -if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then - sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml - sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml -fi +sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml +# disable multitenancy +sed -i "s|opendistro_security.multitenancy.enabled:.*|opendistro_security.multitenancy.enabled: false|g" /usr/share/kibana/config/kibana.yml # If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate. if [ "$KIBANA_INDEX" != "" ]; then @@ -31,17 +30,12 @@ if [ "$KIBANA_INDEX" != "" ]; then fi if [ "$KIBANA_IP" != "" ]; then - kibana_ip="$KIBANA_IP" + kibana_url="$KIBANA_IP" else - kibana_ip="kibana" + kibana_url="kibana" fi -# Add auth headers if required -if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then - curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" -fi - -while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do +while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' $kibana_url:5601/login)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done @@ -61,16 +55,12 @@ EOF sleep 5 # Add the wazuh alerts index as default. -curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +curl ${auth} -POST $kibana_url:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} rm -f ${default_index} sleep 5 # Configuring Kibana TimePicker. -curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ -'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' - -sleep 5 -# Do not ask user to help providing usage statistics to Elastic -curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' +curl ${auth} -POST "http://$kibana_url:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' echo "End settings" From 81aeac1570520f9cede1b08f307796fb4c3090ed Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 21 Aug 2020 15:42:08 +0200 Subject: [PATCH 066/156] Customize welcome after kibana optimize --- kibana-opendistro/Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 7dd86ede..3694dbcf 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -45,13 +45,13 @@ RUN chmod +x ./wazuh_app_config.sh COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ RUN chmod +x ./kibana_settings.sh -COPY ./config/custom_welcome /tmp/custom_welcome -COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./ -RUN chmod +x ./welcome_wazuh.sh -ARG CHANGE_WELCOME="false" -RUN ./welcome_wazuh.sh - USER kibana RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize +COPY ./config/custom_welcome /tmp/custom_welcome +COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./ +RUN chmod +x ./welcome_wazuh.sh +ARG CHANGE_WELCOME="true" +RUN ./welcome_wazuh.sh + ENTRYPOINT ./entrypoint.sh From 131115c2384df82b22f2803b01aed93dc56b7c57 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 21 Aug 2020 16:03:45 +0200 Subject: [PATCH 067/156] Make sure kibana starts after config changes --- kibana-opendistro/config/entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kibana-opendistro/config/entrypoint.sh b/kibana-opendistro/config/entrypoint.sh index cca7c3da..f2c017f1 100644 --- a/kibana-opendistro/config/entrypoint.sh +++ b/kibana-opendistro/config/entrypoint.sh @@ -60,4 +60,6 @@ sleep 5 ./kibana_settings.sh & +sleep 2 + /usr/local/bin/kibana-docker From 3f0e908a2b92d5f0c86f1249eea67e1913c57298 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 24 Aug 2020 15:38:04 +0200 Subject: [PATCH 068/156] Use API new default user --- kibana-opendistro/config/wazuh_app_config.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-opendistro/config/wazuh_app_config.sh index ec16a336..afa3d71d 100644 --- a/kibana-opendistro/config/wazuh_app_config.sh +++ b/kibana-opendistro/config/wazuh_app_config.sh @@ -3,8 +3,8 @@ wazuh_url="${WAZUH_API_URL:-https://wazuh}" wazuh_port="${API_PORT:-55000}" -api_user="${API_USER:-foo}" -api_password="${API_PASS:-bar}" +api_user="${API_USER:-wazuh}" +api_password="${API_PASS:-wazuh}" kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" mkdir -p /usr/share/kibana/optimize/wazuh/config/ From 65327f8032e029908bd4c3fd25bdf4b584f164e8 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 24 Aug 2020 15:38:24 +0200 Subject: [PATCH 069/156] Install wazuhapp 4 --- kibana-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 3694dbcf..3f72a444 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -6,7 +6,7 @@ ARG WAZUH_VERSION=3.13.1 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana -RUN ./bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip +RUN ./bin/kibana-plugin install https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/staging/ui/kibana/wazuhapp-4.0.0_7.8.0_0.0.0.todelete.zip WORKDIR / USER root From 4de5401144daa3e37a549447501b119d47d91f98 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 24 Aug 2020 15:39:03 +0200 Subject: [PATCH 070/156] Remove wazuh-api s6-overlay calls --- wazuh-opendistro/config/etc/services.d/api/finish | 6 ------ wazuh-opendistro/config/etc/services.d/api/run | 4 ---- 2 files changed, 10 deletions(-) delete mode 100644 wazuh-opendistro/config/etc/services.d/api/finish delete mode 100644 wazuh-opendistro/config/etc/services.d/api/run diff --git a/wazuh-opendistro/config/etc/services.d/api/finish b/wazuh-opendistro/config/etc/services.d/api/finish deleted file mode 100644 index 38d744d1..00000000 --- a/wazuh-opendistro/config/etc/services.d/api/finish +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env sh -echo >&2 "API exited. code=${1}" - -# terminate other services to exit from the container -exec s6-svscanctl -t /var/run/s6/services - diff --git a/wazuh-opendistro/config/etc/services.d/api/run b/wazuh-opendistro/config/etc/services.d/api/run deleted file mode 100644 index e6e3e831..00000000 --- a/wazuh-opendistro/config/etc/services.d/api/run +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/with-contenv sh -echo >&2 "starting API" - -exec /bin/node /var/ossec/api/app.js From e7acb70b6f2cd6515c84b6f1389f0bbf77a98a33 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 24 Aug 2020 15:39:36 +0200 Subject: [PATCH 071/156] Install wazuh-manager v4 from staging --- wazuh-opendistro/Dockerfile | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 1add03c0..f8173987 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -2,7 +2,7 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.8.0 -ARG WAZUH_VERSION=3.13.1-1 +ARG WAZUH_VERSION=4.0.0-1 ARG TEMPLATE_VERSION="v3.13.1" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" @@ -13,14 +13,15 @@ ENV API_USER="foo" \ # Set repositories. RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH -COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo +# COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo RUN yum --enablerepo=updates clean metadata && \ - yum -y install openssl which && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ - curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - && \ - yum -y install nodejs && yum -y install wazuh-api-${WAZUH_VERSION} && \ - sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ + curl --fail --silent https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/test/4.0/rpm/var/wazuh-manager-4.0.0-braulio.test.x86_64.rpm \ + -o wazuh-manager.rpm && \ + yum -y install openssl which && yum -y install wazuh-manager.rpm -y && \ yum clean all && rm -rf /var/cache/yum + # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ + RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm From da14494144e1a9f2f24bfe1787c8cd2b47f3c3c2 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 24 Aug 2020 16:21:16 +0200 Subject: [PATCH 072/156] Use staging repo --- wazuh-opendistro/config/wazuh.repo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/config/wazuh.repo b/wazuh-opendistro/config/wazuh.repo index ae462c62..8be8a18e 100644 --- a/wazuh-opendistro/config/wazuh.repo +++ b/wazuh-opendistro/config/wazuh.repo @@ -3,5 +3,5 @@ gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository -baseurl=https://packages.wazuh.com/3.x/yum/ +baseurl=https://packages-dev.wazuh.com/staging/yum/ protect=1 From 139ac79463d1d9b34bdc7d569526262d5afe2255 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 24 Aug 2020 16:28:04 +0200 Subject: [PATCH 073/156] Parametrize version --- wazuh-opendistro/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index f8173987..80ae4a76 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -2,7 +2,7 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.8.0 -ARG WAZUH_VERSION=4.0.0-1 +ARG WAZUH_VERSION=4.0.0-braulio.test ARG TEMPLATE_VERSION="v3.13.1" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" @@ -16,7 +16,7 @@ RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH # COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo RUN yum --enablerepo=updates clean metadata && \ - curl --fail --silent https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/test/4.0/rpm/var/wazuh-manager-4.0.0-braulio.test.x86_64.rpm \ + curl --fail --silent https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/test/4.0/rpm/var/wazuh-manager-${WAZUH_VERSION}.x86_64.rpm \ -o wazuh-manager.rpm && \ yum -y install openssl which && yum -y install wazuh-manager.rpm -y && \ yum clean all && rm -rf /var/cache/yum From 5bb1127cf23357533efd7b52d934b279d9fa57e3 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 24 Aug 2020 16:57:38 +0200 Subject: [PATCH 074/156] Update username param --- kibana-opendistro/config/wazuh_app_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-opendistro/config/wazuh_app_config.sh index afa3d71d..db1d8f82 100644 --- a/kibana-opendistro/config/wazuh_app_config.sh +++ b/kibana-opendistro/config/wazuh_app_config.sh @@ -59,7 +59,7 @@ hosts: - 1513629884013: url: $wazuh_url port: $wazuh_port - user: $api_user + username: $api_user password: $api_password EOF else From eb089e80116d98776c1154577b73aea326d11d81 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 25 Aug 2020 13:07:18 +0200 Subject: [PATCH 075/156] Switch to new filebeat module and template --- wazuh-opendistro/Dockerfile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 80ae4a76..25788066 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -3,8 +3,8 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.8.0 ARG WAZUH_VERSION=4.0.0-braulio.test -ARG TEMPLATE_VERSION="v3.13.1" -ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" +ARG TEMPLATE_VERSION="develop" +ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz" ENV API_USER="foo" \ API_PASS="bar" @@ -26,10 +26,7 @@ RUN yum --enablerepo=updates clean metadata && \ RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm -RUN curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/elasticsearch/7.x/wazuh-template.json &&\ - chmod go+r /etc/filebeat/wazuh-template.json - -RUN curl -s https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module +RUN curl -s https://packages-dev.wazuh.com/utils/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module ARG S6_VERSION="v2.0.0.1" RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ From 325c191b68ec7d028fb0ed089263b774495dde7c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 25 Aug 2020 13:30:31 +0200 Subject: [PATCH 076/156] Bump to recent package --- wazuh-opendistro/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 25788066..7fd4787a 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -2,7 +2,7 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.8.0 -ARG WAZUH_VERSION=4.0.0-braulio.test +ARG WAZUH_VERSION=4.0.0-c6test ARG TEMPLATE_VERSION="develop" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz" @@ -16,7 +16,7 @@ RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH # COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo RUN yum --enablerepo=updates clean metadata && \ - curl --fail --silent https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/test/4.0/rpm/var/wazuh-manager-${WAZUH_VERSION}.x86_64.rpm \ + curl --fail --silent https://packages-dev.wazuh.com/warehouse/test/4.0/rpm/var/wazuh-manager-${WAZUH_VERSION}.x86_64.rpm \ -o wazuh-manager.rpm && \ yum -y install openssl which && yum -y install wazuh-manager.rpm -y && \ yum clean all && rm -rf /var/cache/yum From d7133df0f3022756c08553b670e64edfdf25ba6a Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 25 Aug 2020 13:40:24 +0200 Subject: [PATCH 077/156] Clean downloaded package --- wazuh-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 7fd4787a..f17b6d21 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -18,7 +18,7 @@ RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH RUN yum --enablerepo=updates clean metadata && \ curl --fail --silent https://packages-dev.wazuh.com/warehouse/test/4.0/rpm/var/wazuh-manager-${WAZUH_VERSION}.x86_64.rpm \ -o wazuh-manager.rpm && \ - yum -y install openssl which && yum -y install wazuh-manager.rpm -y && \ + yum -y install openssl which && yum -y install wazuh-manager.rpm -y && rm -f wazuh-manager.rpm \ yum clean all && rm -rf /var/cache/yum # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ From 248b769688f422c01baacb02ebd4e69d170ff726 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 25 Aug 2020 14:30:27 +0200 Subject: [PATCH 078/156] Remove API tweaks --- .../config/etc/cont-init.d/0-wazuh-init | 70 +++---------------- 1 file changed, 10 insertions(+), 60 deletions(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index b0cbd001..f3fbd1a4 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -7,7 +7,6 @@ source /permanent_data.env WAZUH_INSTALL_PATH=/var/ossec WAZUH_CONFIG_MOUNT=/wazuh-config-mount AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} -API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} ############################################################################## @@ -33,18 +32,10 @@ exec_cmd_stdout() { ############################################################################## -# Edit configuration -############################################################################## - -edit_configuration() { # $1 -> setting, $2 -> value - sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" -} - -############################################################################## -# This function will attempt to mount every directory in PERMANENT_DATA -# into the respective path. -# If the path is empty means permanent data volume is also empty, so a backup -# will be copied into it. Otherwise it will not be copied because there is +# This function will attempt to mount every directory in PERMANENT_DATA +# into the respective path. +# If the path is empty means permanent data volume is also empty, so a backup +# will be copied into it. Otherwise it will not be copied because there is # already data inside the volume for the specified path. ############################################################################## @@ -61,9 +52,9 @@ mount_permanent_data() { } ############################################################################## -# This function will replace from the permanent data volume every file +# This function will replace from the permanent data volume every file # contained in PERMANENT_DATA_EXCP -# Some files as 'internal_options.conf' are saved as permanent data, but +# Some files as 'internal_options.conf' are saved as permanent data, but # they must be updated to work properly if wazuh version is changed. ############################################################################## @@ -76,7 +67,7 @@ apply_exclusion_data() { then mkdir -p ${DIR} fi - + print "Updating ${exclusion_file}" exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}" fi @@ -84,14 +75,14 @@ apply_exclusion_data() { } ############################################################################## -# This function will delete from the permanent data volume every file +# This function will delete from the permanent data volume every file # contained in PERMANENT_DATA_DEL ############################################################################## remove_data_files() { for del_file in "${PERMANENT_DATA_DEL[@]}"; do if [ -e ${del_file} ] - then + then print "Removing ${del_file}" exec_cmd "rm ${del_file}" fi @@ -108,22 +99,6 @@ create_ossec_key_cert() { exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/" } -############################################################################## -# Create certificates: API -############################################################################## - -create_api_key_cert() { - print "Enabling Wazuh API HTTPS" - edit_configuration "https" "yes" - print "Create Wazuh API key and cert" - exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096" - exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/" - - # Granting proper permissions - chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key - chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -} - ############################################################################## # Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect # destination files permissions @@ -153,7 +128,7 @@ function ossec_shutdown(){ ############################################################################## # Interpret any passed arguments (via docker command to this entrypoint) as -# paths or commands, and execute them. +# paths or commands, and execute them. # # This can be useful for actions that need to be run before the services are # started, such as "/var/ossec/bin/ossec-control enable agentless". @@ -167,19 +142,6 @@ docker_custom_args() { done } -############################################################################## -# Change Wazuh API user credentials. -############################################################################## - -change_api_user_credentials() { - pushd /var/ossec/api/configuration/auth/ - echo "Change Wazuh API user credentials" - change_user="node htpasswd -b -c user $API_USER $API_PASS" - eval $change_user - popd -} - - ############################################################################## # Main function ############################################################################## @@ -203,15 +165,6 @@ main() { fi fi - # Generate API certs if API_GENERATE_CERTS is true and does not exist - if [ $API_GENERATE_CERTS == true ] - then - if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ] - then - create_api_key_cert - fi - fi - # Mount selected files (WAZUH_CONFIG_MOUNT) to container mount_files @@ -221,9 +174,6 @@ main() { # Execute custom args docker_custom_args - # Change API user credentials - change_api_user_credentials - # Delete temporary data folder rm -rf ${WAZUH_INSTALL_PATH}/data_tmp From 7badd1bdec38d178ba407f6196f2f3e6145140f9 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 25 Aug 2020 14:30:50 +0200 Subject: [PATCH 079/156] Fix package cleanup --- wazuh-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index f17b6d21..b81723c6 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -18,7 +18,7 @@ RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH RUN yum --enablerepo=updates clean metadata && \ curl --fail --silent https://packages-dev.wazuh.com/warehouse/test/4.0/rpm/var/wazuh-manager-${WAZUH_VERSION}.x86_64.rpm \ -o wazuh-manager.rpm && \ - yum -y install openssl which && yum -y install wazuh-manager.rpm -y && rm -f wazuh-manager.rpm \ + yum -y install openssl which && yum -y install wazuh-manager.rpm -y && rm -f wazuh-manager.rpm && \ yum clean all && rm -rf /var/cache/yum # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ From 1608474bdffd37dd9b2417c006b4146dc9d39225 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 25 Aug 2020 14:36:49 +0200 Subject: [PATCH 080/156] Update wodles --- wazuh-opendistro/config/permanent_data.env | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/wazuh-opendistro/config/permanent_data.env b/wazuh-opendistro/config/permanent_data.env index ca461d63..9c2556d8 100644 --- a/wazuh-opendistro/config/permanent_data.env +++ b/wazuh-opendistro/config/permanent_data.env @@ -55,20 +55,13 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-redhat-6-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-redhat-7-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-centos-6-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-centos-7-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-fedora-24-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-rhel-6-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-rhel-7-ds.xml" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py" +PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py" export PERMANENT_DATA_EXCP -# Files mounted in a volume that should be deleted +# Files mounted in a volume that should be deleted i=0 PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db" export PERMANENT_DATA_DEL From bbabf9bb3b7945cc046141fb9029775d20479ea1 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 25 Aug 2020 15:09:49 +0200 Subject: [PATCH 081/156] Bump default index to 4 --- kibana-opendistro/config/kibana_settings.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana-opendistro/config/kibana_settings.sh b/kibana-opendistro/config/kibana_settings.sh index 514727a6..c3239f25 100644 --- a/kibana-opendistro/config/kibana_settings.sh +++ b/kibana-opendistro/config/kibana_settings.sh @@ -1,7 +1,7 @@ #!/bin/bash # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -WAZUH_MAJOR=3 +WAZUH_MAJOR=4 ############################################################################## # Wait for the Kibana API to start. It is necessary to do it in this container From 274342e24dca43b5d09202d05d59e07f1f3449b5 Mon Sep 17 00:00:00 2001 From: manuasir Date: Tue, 25 Aug 2020 16:47:11 +0200 Subject: [PATCH 082/156] Disabled basic auth --- nginx_conf/kibana-web.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nginx_conf/kibana-web.conf b/nginx_conf/kibana-web.conf index b3821747..9ac5b667 100644 --- a/nginx_conf/kibana-web.conf +++ b/nginx_conf/kibana-web.conf @@ -10,11 +10,11 @@ server { ssl_certificate /etc/nginx/conf.d/ssl/kibana-access.pem; ssl_certificate_key /etc/nginx/conf.d/ssl/kibana-access.key; location / { - auth_basic "Restricted Access"; - auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; + # auth_basic "Restricted Access"; + # auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; proxy_pass http://kibana:5601/; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; } -} +} From 033600101233eee46f22b5f39defbdc3108072a4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:03:33 +0200 Subject: [PATCH 083/156] Remove KIBANA_IP variable --- kibana-opendistro/config/kibana_settings.sh | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/kibana-opendistro/config/kibana_settings.sh b/kibana-opendistro/config/kibana_settings.sh index c3239f25..d536e24f 100644 --- a/kibana-opendistro/config/kibana_settings.sh +++ b/kibana-opendistro/config/kibana_settings.sh @@ -29,13 +29,7 @@ if [ "$KIBANA_INDEX" != "" ]; then echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml fi -if [ "$KIBANA_IP" != "" ]; then - kibana_url="$KIBANA_IP" -else - kibana_url="kibana" -fi - -while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' $kibana_url:5601/login)" != "200" ]]; do +while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' https://127.0.0.1/login)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done @@ -55,12 +49,12 @@ EOF sleep 5 # Add the wazuh alerts index as default. -curl ${auth} -POST $kibana_url:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +curl ${auth} -POST https://127.0.0.1/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} rm -f ${default_index} sleep 5 # Configuring Kibana TimePicker. -curl ${auth} -POST "http://$kibana_url:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +curl ${auth} -POST "https://127.0.0.1/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ '{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' echo "End settings" From a9ee1f7e2901df6792389ec7e32160aebf5c4e0a Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 26 Aug 2020 13:18:01 +0200 Subject: [PATCH 084/156] Update staging app --- kibana-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 3f72a444..a897acdc 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -6,7 +6,7 @@ ARG WAZUH_VERSION=3.13.1 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana -RUN ./bin/kibana-plugin install https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/staging/ui/kibana/wazuhapp-4.0.0_7.8.0_0.0.0.todelete.zip +RUN ./bin/kibana-plugin install https://packages-dev.wazuh.com/warehouse/test/4.0/ui/kibana/wazuhapp-4.0.0_7.8.0_0.0.0.todelete.zip WORKDIR / USER root From 3deb80d6a099d25f8c3fdf6507aa01e41212b3d0 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 26 Aug 2020 15:29:06 +0200 Subject: [PATCH 085/156] Add temporary fix for node dependencies --- kibana-opendistro/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index a897acdc..0f4605a8 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -7,6 +7,8 @@ ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana RUN ./bin/kibana-plugin install https://packages-dev.wazuh.com/warehouse/test/4.0/ui/kibana/wazuhapp-4.0.0_7.8.0_0.0.0.todelete.zip +RUN cp -Rf ./plugins/wazuh/node_modules/brace ./node_modules/ +RUN rm -Rf plugins/wazuh/node_modules/brace WORKDIR / USER root From a24fd2fbce1997038cff365fc95fce80e5796eff Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 26 Aug 2020 15:29:53 +0200 Subject: [PATCH 086/156] Add SSL_CERTIFICATE and SSL_KEY support to config-filebeat --- .../config/etc/cont-init.d/1-config-filebeat | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat b/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat index dae9947f..04be44bb 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat +++ b/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat @@ -30,6 +30,16 @@ if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml fi +if [ "$SSL_CERTIFICATE" != "" ]; then + >&2 echo "Configuring SSL Certificate." + sed -i "s|#ssl.certificate:.*|ssl.certificate: ['$SSL_CERTIFICATE']|g" /etc/filebeat/filebeat.yml +fi + +if [ "$SSL_KEY" != "" ]; then + >&2 echo "Configuring SSL Key." + sed -i "s|#ssl.key:.*|ssl.key: ['$SSL_KEY']|g" /etc/filebeat/filebeat.yml +fi + chmod go-w /etc/filebeat/filebeat.yml || true chown root: /etc/filebeat/filebeat.yml || true From 6ebc52467bdad89548197327c774ab4603c2e243 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 26 Aug 2020 16:27:10 +0200 Subject: [PATCH 087/156] Optimize Docker layer caching --- kibana-opendistro/Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 0f4605a8..8d066505 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -41,12 +41,6 @@ ENV PATTERN="" \ WAZUH_MONITORING_REPLICAS="" \ ADMIN_PRIVILEGES="" -COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ -RUN chmod +x ./wazuh_app_config.sh - -COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ -RUN chmod +x ./kibana_settings.sh - USER kibana RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize @@ -56,4 +50,10 @@ RUN chmod +x ./welcome_wazuh.sh ARG CHANGE_WELCOME="true" RUN ./welcome_wazuh.sh +COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ +RUN chmod +x ./wazuh_app_config.sh + +COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ +RUN chmod +x ./kibana_settings.sh + ENTRYPOINT ./entrypoint.sh From 68a02f1f388bf4a3cfcdaa98a48ef6871dfba3e3 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 26 Aug 2020 16:27:47 +0200 Subject: [PATCH 088/156] Switch back to port 5601 on kibana --- kibana-opendistro/config/kibana_settings.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kibana-opendistro/config/kibana_settings.sh b/kibana-opendistro/config/kibana_settings.sh index d536e24f..63535605 100644 --- a/kibana-opendistro/config/kibana_settings.sh +++ b/kibana-opendistro/config/kibana_settings.sh @@ -29,7 +29,7 @@ if [ "$KIBANA_INDEX" != "" ]; then echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml fi -while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' https://127.0.0.1/login)" != "200" ]]; do +while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' http://127.0.0.1:5601/login)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done @@ -49,12 +49,12 @@ EOF sleep 5 # Add the wazuh alerts index as default. -curl ${auth} -POST https://127.0.0.1/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +curl ${auth} -POST http://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} rm -f ${default_index} sleep 5 # Configuring Kibana TimePicker. -curl ${auth} -POST "https://127.0.0.1/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +curl ${auth} -POST "http://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ '{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' echo "End settings" From 98273c1e27d2789a82d7204f9523ca232eb079a8 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 28 Aug 2020 14:36:55 +0200 Subject: [PATCH 089/156] Enable HTTPS for status checks --- kibana-opendistro/config/kibana_settings.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kibana-opendistro/config/kibana_settings.sh b/kibana-opendistro/config/kibana_settings.sh index 63535605..19cae116 100644 --- a/kibana-opendistro/config/kibana_settings.sh +++ b/kibana-opendistro/config/kibana_settings.sh @@ -29,7 +29,7 @@ if [ "$KIBANA_INDEX" != "" ]; then echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml fi -while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' http://127.0.0.1:5601/login)" != "200" ]]; do +while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/login)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done @@ -49,12 +49,12 @@ EOF sleep 5 # Add the wazuh alerts index as default. -curl ${auth} -POST http://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} rm -f ${default_index} sleep 5 # Configuring Kibana TimePicker. -curl ${auth} -POST "http://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ '{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' echo "End settings" From 8fb7110af5f76b91caf78175625a98b80593fa45 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 28 Aug 2020 14:37:21 +0200 Subject: [PATCH 090/156] Enable SSL on Kibana by default Nginx container was disabled but left commented as an example --- docker-compose.yml | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index fa2690cc..3e17716e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -52,28 +52,34 @@ services: image: wazuh-kibana-opendistro hostname: kibana restart: always + ports: + - 443:5601 environment: - ELASTICSEARCH_USERNAME=admin - ELASTICSEARCH_PASSWORD=admin + - SERVER_SSL_ENABLED=true + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert + - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key + depends_on: - elasticsearch links: - elasticsearch:elasticsearch - wazuh:wazuh - nginx: - image: nginx:stable - hostname: nginx - restart: always - ports: - - "80:80" - - "443:443" - depends_on: - - kibana - links: - - kibana:kibana - volumes: - - ./nginx_conf:/etc/nginx/conf.d:ro + # nginx: + # image: nginx:stable + # hostname: nginx + # restart: always + # ports: + # - "80:80" + # - "443:443" + # depends_on: + # - kibana + # links: + # - kibana:kibana + # volumes: + # - ./nginx_conf:/etc/nginx/conf.d:ro volumes: ossec_api_configuration: From 8657266ffda68f56dcde588ff24f150ea63a7d12 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 1 Sep 2020 17:23:49 +0200 Subject: [PATCH 091/156] Bump package version --- wazuh-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index b81723c6..672ec2d6 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -2,7 +2,7 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.8.0 -ARG WAZUH_VERSION=4.0.0-c6test +ARG WAZUH_VERSION=4.0.0-0.0.0.developtestingaugust ARG TEMPLATE_VERSION="develop" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz" From e45c0f3c4df4493d25a02704597ee129689e2c18 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 2 Sep 2020 10:07:56 +0200 Subject: [PATCH 092/156] Switch 1514 to TCP --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3e17716e..3545d480 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,7 +8,7 @@ services: hostname: wazuh-manager restart: always ports: - - "1514:1514/udp" + - "1514:1514" - "1515:1515" - "514:514/udp" - "55000:55000" From 32cd19f344180657bde135b31d7e61b9793d6975 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 3 Sep 2020 12:55:59 +0200 Subject: [PATCH 093/156] Enable pre-release package --- wazuh-opendistro/Dockerfile | 11 ++++------- wazuh-opendistro/config/wazuh.repo | 2 +- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 672ec2d6..1bab9f3c 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -2,7 +2,7 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.8.0 -ARG WAZUH_VERSION=4.0.0-0.0.0.developtestingaugust +ARG WAZUH_VERSION=4.0.0-1 ARG TEMPLATE_VERSION="develop" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz" @@ -13,15 +13,12 @@ ENV API_USER="foo" \ # Set repositories. RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH -# COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo +COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo RUN yum --enablerepo=updates clean metadata && \ - curl --fail --silent https://packages-dev.wazuh.com/warehouse/test/4.0/rpm/var/wazuh-manager-${WAZUH_VERSION}.x86_64.rpm \ - -o wazuh-manager.rpm && \ - yum -y install openssl which && yum -y install wazuh-manager.rpm -y && rm -f wazuh-manager.rpm && \ + yum -y install openssl which && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ + sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ yum clean all && rm -rf /var/cache/yum - # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ - RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm diff --git a/wazuh-opendistro/config/wazuh.repo b/wazuh-opendistro/config/wazuh.repo index 8be8a18e..15e1b822 100644 --- a/wazuh-opendistro/config/wazuh.repo +++ b/wazuh-opendistro/config/wazuh.repo @@ -3,5 +3,5 @@ gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository -baseurl=https://packages-dev.wazuh.com/staging/yum/ +baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 From b6cc7d20bbf2f612039e39d9d43776e1ad49e679 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 3 Sep 2020 12:56:14 +0200 Subject: [PATCH 094/156] Use latest app version from pre-release --- kibana-opendistro/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 8d066505..530316a6 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -2,11 +2,11 @@ FROM amazon/opendistro-for-elasticsearch-kibana:1.9.0 USER kibana ARG ELASTIC_VERSION=7.8.0 -ARG WAZUH_VERSION=3.13.1 +ARG WAZUH_VERSION=4.0.0 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana -RUN ./bin/kibana-plugin install https://packages-dev.wazuh.com/warehouse/test/4.0/ui/kibana/wazuhapp-4.0.0_7.8.0_0.0.0.todelete.zip +RUN ./bin/kibana-plugin install https://packages-dev.wazuh.com/pre-release/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip RUN cp -Rf ./plugins/wazuh/node_modules/brace ./node_modules/ RUN rm -Rf plugins/wazuh/node_modules/brace From e598cc7712b37c4db232ce84191f284ca813287c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 3 Sep 2020 17:12:15 +0200 Subject: [PATCH 095/156] Remove temporary brace fix --- kibana-opendistro/Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 530316a6..82631ca2 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -7,8 +7,6 @@ ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana RUN ./bin/kibana-plugin install https://packages-dev.wazuh.com/pre-release/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip -RUN cp -Rf ./plugins/wazuh/node_modules/brace ./node_modules/ -RUN rm -Rf plugins/wazuh/node_modules/brace WORKDIR / USER root From 37ba48d56d552099da39668e1e70422efd317edd Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 16 Sep 2020 17:59:54 +0200 Subject: [PATCH 096/156] Update ulimits --- docker-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 3545d480..c7a846db 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -46,6 +46,9 @@ services: memlock: soft: -1 hard: -1 + nofile: + soft: 65536 + hard: 65536 kibana: build: kibana-opendistro/ From 3d7807d27b59d701d9d43cf1ed214aa461b38def Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 16 Sep 2020 18:00:36 +0200 Subject: [PATCH 097/156] Update expose instruction to use TCP for logging --- wazuh-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 1bab9f3c..dd76e266 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -49,6 +49,6 @@ RUN chmod 755 /permanent_data.sh && \ sync && rm /permanent_data.sh # Services ports -EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp +EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp ENTRYPOINT [ "/init" ] From ac0c85bb64b44973711a405d466dd29a1fd87b23 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 16 Sep 2020 18:01:19 +0200 Subject: [PATCH 098/156] Fix filebeat.yml format --- wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat b/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat index 04be44bb..ce033aa5 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat +++ b/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat @@ -32,12 +32,12 @@ fi if [ "$SSL_CERTIFICATE" != "" ]; then >&2 echo "Configuring SSL Certificate." - sed -i "s|#ssl.certificate:.*|ssl.certificate: ['$SSL_CERTIFICATE']|g" /etc/filebeat/filebeat.yml + sed -i "s|#ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml fi if [ "$SSL_KEY" != "" ]; then >&2 echo "Configuring SSL Key." - sed -i "s|#ssl.key:.*|ssl.key: ['$SSL_KEY']|g" /etc/filebeat/filebeat.yml + sed -i "s|#ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml fi From a2e780525112f340a3f05a8c2084859a7777d3af Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 16 Sep 2020 18:08:38 +0200 Subject: [PATCH 099/156] Remove deprecated nginx section --- docker-compose.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c7a846db..4e859267 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -70,20 +70,6 @@ services: - elasticsearch:elasticsearch - wazuh:wazuh - # nginx: - # image: nginx:stable - # hostname: nginx - # restart: always - # ports: - # - "80:80" - # - "443:443" - # depends_on: - # - kibana - # links: - # - kibana:kibana - # volumes: - # - ./nginx_conf:/etc/nginx/conf.d:ro - volumes: ossec_api_configuration: ossec_etc: From ee26db692b27bd9ecde2f7f44d8f600bfed189b6 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 24 Sep 2020 11:32:51 +0200 Subject: [PATCH 100/156] Remove legacy code to run cmd on entrypoint --- .../config/etc/cont-init.d/0-wazuh-init | 20 +------------------ 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index f3fbd1a4..1aa78f65 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -126,21 +126,6 @@ function ossec_shutdown(){ ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; } -############################################################################## -# Interpret any passed arguments (via docker command to this entrypoint) as -# paths or commands, and execute them. -# -# This can be useful for actions that need to be run before the services are -# started, such as "/var/ossec/bin/ossec-control enable agentless". -############################################################################## - -docker_custom_args() { - for CUSTOM_COMMAND in "$@" - do - echo "Executing command \`${CUSTOM_COMMAND}\`" - exec_cmd_stdout "${CUSTOM_COMMAND}" - done -} ############################################################################## # Main function @@ -169,10 +154,7 @@ main() { mount_files # Trap exit signals and do a proper shutdown - trap "ossec_shutdown; exit" SIGINT SIGTERM - - # Execute custom args - docker_custom_args + trap "ossec_shutdown; exit" SIGINT SIGTERM # Delete temporary data folder rm -rf ${WAZUH_INSTALL_PATH}/data_tmp From 960105b776c31647799cac3d732b74d87d2ca8c4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 24 Sep 2020 12:55:46 +0200 Subject: [PATCH 101/156] Remove extra space --- wazuh-opendistro/config/etc/cont-init.d/2-manager | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/2-manager b/wazuh-opendistro/config/etc/cont-init.d/2-manager index e548e8b1..6ce02ae2 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/2-manager +++ b/wazuh-opendistro/config/etc/cont-init.d/2-manager @@ -1,3 +1,3 @@ #!/usr/bin/with-contenv bash -/var/ossec/bin/ossec-control start +/var/ossec/bin/ossec-control start From 0fed6d6e8bb82845d384a2adee4c9a2df6bd505a Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:38:38 +0200 Subject: [PATCH 102/156] Removing legacy nginx config --- README.md | 8 ----- nginx_conf/README.md | 34 --------------------- nginx_conf/kibana-web.conf | 20 ------------ nginx_conf/ssl/generate-self-signed-cert.sh | 12 -------- 4 files changed, 74 deletions(-) delete mode 100644 nginx_conf/README.md delete mode 100644 nginx_conf/kibana-web.conf delete mode 100644 nginx_conf/ssl/generate-self-signed-cert.sh diff --git a/README.md b/README.md index e28fe2fc..7c3c87f6 100644 --- a/README.md +++ b/README.md @@ -26,9 +26,6 @@ In addition, a docker-compose file is provided to launch the containers mentione Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth. -Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md). - - ## Directory structure wazuh-docker @@ -50,11 +47,6 @@ Documentation on how to provide these two can be found at [nginx_conf/README.md] │   │   └── xpack_config.sh │   └── Dockerfile ├── LICENSE - ├── nginx_conf - │   ├── kibana-web.conf - │   ├── README.md - │   └── ssl - │   └── generate-self-signed-cert.sh ├── README.md ├── VERSION └── wazuh diff --git a/nginx_conf/README.md b/nginx_conf/README.md deleted file mode 100644 index aef42766..00000000 --- a/nginx_conf/README.md +++ /dev/null @@ -1,34 +0,0 @@ - -### Enable SSL Traffic - -Our Nginx config has SSL enabled by default, but it does require you to provide your certificate first, copy here your certificate files as `kibana-access.pem` and `kibana-access.key`. - -The final tree should be like this: - -``` -nginx_conf/ -├── kibana.htpasswd -├── kibana-web.conf -└── ssl - ├── kibana-access.key - └── kibana-access.pem -``` - - - -#### Using a Self Signed Certificate - -In case you want to use a self-signed certificate we provided a script to generate one. - -Execute `bash generate-self-signed-cert.sh` inside the `ssl` directory and it will be generated. You must install `openssl` first. - - -### Setup Basic Authentication - -The nginx configuration expects the file `kibana.htpasswd`. - -This file can be generated with the `htpasswd` command. - -```bash -htpasswd -c kibana.htpasswd username -``` diff --git a/nginx_conf/kibana-web.conf b/nginx_conf/kibana-web.conf deleted file mode 100644 index 9ac5b667..00000000 --- a/nginx_conf/kibana-web.conf +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen 80; - listen [::]:80; - return 301 https://$host:443$request_uri; -} - -server { - listen 443 default_server ssl http2; - listen [::]:443 ssl http2; - ssl_certificate /etc/nginx/conf.d/ssl/kibana-access.pem; - ssl_certificate_key /etc/nginx/conf.d/ssl/kibana-access.key; - location / { - # auth_basic "Restricted Access"; - # auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; - proxy_pass http://kibana:5601/; - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - } -} diff --git a/nginx_conf/ssl/generate-self-signed-cert.sh b/nginx_conf/ssl/generate-self-signed-cert.sh deleted file mode 100644 index f30fd69d..00000000 --- a/nginx_conf/ssl/generate-self-signed-cert.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -cd $DIR - -if [ -s kibana-access.key ] -then - echo "Aborting. Certificate already exists" - exit -else - openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout kibana-access.key -out kibana-access.pem -fi From e2f8f6d164e80de40ae07fee80cc780296e9785e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:42:40 +0200 Subject: [PATCH 103/156] Switch template to master branch --- wazuh-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index dd76e266..7112e2a1 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -3,7 +3,7 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.8.0 ARG WAZUH_VERSION=4.0.0-1 -ARG TEMPLATE_VERSION="develop" +ARG TEMPLATE_VERSION="master" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz" ENV API_USER="foo" \ From 84d1044e7059de1b4baf6904fdf5a98039d042c5 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:43:37 +0200 Subject: [PATCH 104/156] Add expect and openssh-clients to support agentless monitoring --- wazuh-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 7112e2a1..25f1fad8 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -16,7 +16,7 @@ RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo RUN yum --enablerepo=updates clean metadata && \ - yum -y install openssl which && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ + yum -y install openssl which expect openssh-clients && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ yum clean all && rm -rf /var/cache/yum From 545725bbfcade57d1d8c51619de1b5ee034aa993 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:46:12 +0200 Subject: [PATCH 105/156] Add suport for migration from a volume --- .../config/etc/cont-init.d/2-manager | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/wazuh-opendistro/config/etc/cont-init.d/2-manager b/wazuh-opendistro/config/etc/cont-init.d/2-manager index 6ce02ae2..bf64f3d2 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/2-manager +++ b/wazuh-opendistro/config/etc/cont-init.d/2-manager @@ -1,3 +1,74 @@ #!/usr/bin/with-contenv bash +############################################################################## +# Migration sequence +# Detect if there is a mounted volume on /wazuh-migration and copy the data +# to /var/ossec, finally it will create a flag ".migration-completed" inside +# the mounted volume +############################################################################## + +function __colortext() +{ + echo -e " \e[1;$2m$1\e[0m" +} + +function echogreen() +{ + echo $(__colortext "$1" "32") +} + +function echoyellow() +{ + echo $(__colortext "$1" "33") +} + +function_wazuh_migration(){ + if [ -d "/wazuh-migration" ]; then + if [ ! -e /wazuh-migration/.migration-completed ]; then + if [ ! -e /wazuh-migration/global.db ]; then + echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files." + return + fi + + \cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf + chown root:ossec /var/ossec/etc/ossec.conf + chmod 640 /var/ossec/etc/ossec.conf + + \cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys + chown ossec:ossec /var/ossec/etc/client.keys + chmod 640 /var/ossec/etc/client.keys + + \cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert + \cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key + chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key + chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key + + \cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf + chown ossec:ossec /var/ossec/etc/shared/default/agent.conf + chmod 660 /var/ossec/etc/shared/default/agent.conf + + if [ -e /wazuh-migration/data/agentless/.passlist ]; then + \cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist + chown root:ossec /var/ossec/agentless/.passlist + chmod 640 /var/ossec/agentless/.passlist + fi + + \cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db + chown ossec:ossec /var/ossec/queue/db/global.db + chmod 640 /var/ossec/queue/db/global.db + + # mark volume as migrated + touch /wazuh-migration/.migration-completed + + echogreen "Migration completed succesfully" + else + echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)" + fi + fi +} + +# Migrate data from /wazuh-migration volume +function_wazuh_migration + +# Start Wazuh /var/ossec/bin/ossec-control start From 83941c143a1af6b0ba2b6951327cd2a87ba84718 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:46:42 +0200 Subject: [PATCH 106/156] Support for generating Opendistro certs from docker-compose --- generate-opendistro-certs.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 generate-opendistro-certs.yml diff --git a/generate-opendistro-certs.yml b/generate-opendistro-certs.yml new file mode 100644 index 00000000..4c83507a --- /dev/null +++ b/generate-opendistro-certs.yml @@ -0,0 +1,10 @@ +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) +version: '3' + +services: + generator: + image: wazuh/opendistro-certs-generator:0.1 + hostname: opendistro-certs-generator + volumes: + - ./production_cluster/ssl_certs/certs.yml:/usr/src/config/myconf.yml + - ./production_cluster/ssl_certs/:/usr/src/certs/out/ From 9069d993f10c2e6b2fe64c3c56390b1ba66bc272 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:49:21 +0200 Subject: [PATCH 107/156] Add complete example for a production cluster --- production-cluster.yml | 203 ++++++++++ .../elasticsearch-node1.yml | 31 ++ .../elasticsearch-node2.yml | 31 ++ .../elasticsearch-node3.yml | 31 ++ .../elastic_opendistro/internal_users.yml | 56 +++ .../kibana_ssl/generate-self-signed-cert.sh | 12 + production_cluster/nginx/nginx.conf | 66 ++++ .../nginx/ssl/generate-self-signed-cert.sh | 12 + production_cluster/ssl_certs/certs.yml | 30 ++ .../wazuh_cluster/wazuh_manager.conf | 349 ++++++++++++++++++ .../wazuh_cluster/wazuh_worker.conf | 349 ++++++++++++++++++ 11 files changed, 1170 insertions(+) create mode 100644 production-cluster.yml create mode 100644 production_cluster/elastic_opendistro/elasticsearch-node1.yml create mode 100644 production_cluster/elastic_opendistro/elasticsearch-node2.yml create mode 100644 production_cluster/elastic_opendistro/elasticsearch-node3.yml create mode 100644 production_cluster/elastic_opendistro/internal_users.yml create mode 100644 production_cluster/kibana_ssl/generate-self-signed-cert.sh create mode 100644 production_cluster/nginx/nginx.conf create mode 100644 production_cluster/nginx/ssl/generate-self-signed-cert.sh create mode 100644 production_cluster/ssl_certs/certs.yml create mode 100644 production_cluster/wazuh_cluster/wazuh_manager.conf create mode 100644 production_cluster/wazuh_cluster/wazuh_worker.conf diff --git a/production-cluster.yml b/production-cluster.yml new file mode 100644 index 00000000..136f0a6d --- /dev/null +++ b/production-cluster.yml @@ -0,0 +1,203 @@ +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) +version: '3.7' + +services: + wazuh-master: + build: wazuh-opendistro/ + image: wazuh-opendistro + hostname: wazuh-master + restart: always + ports: + - "1515:1515" + - "514:514/udp" + - "55000:55000" + environment: + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - ELASTIC_USERNAME=admin + - ELASTIC_PASSWORD=SecretPassword + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem + - SSL_CERTIFICATE=/etc/ssl/filebeat.pem + - SSL_KEY=/etc/ssl/filebeat.key + volumes: + - ossec-api-configuration:/var/ossec/api/configuration + - ossec-etc:/var/ossec/etc + - ossec-logs:/var/ossec/logs + - ossec-queue:/var/ossec/queue + - ossec-var-multigroups:/var/ossec/var/multigroups + - ossec-integrations:/var/ossec/integrations + - ossec-active-response:/var/ossec/active-response/bin + - ossec-agentless:/var/ossec/agentless + - ossec-wodles:/var/ossec/wodles + - filebeat-etc:/etc/filebeat + - filebeat-var:/var/lib/filebeat + - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem + - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem + - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key + - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf + + wazuh-worker: + build: wazuh-opendistro/ + image: wazuh-opendistro + hostname: wazuh-worker + restart: always + environment: + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - ELASTIC_USERNAME=admin + - ELASTIC_PASSWORD=SecretPassword + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem + - SSL_CERTIFICATE=/etc/ssl/filebeat.pem + - SSL_KEY=/etc/ssl/filebeat.key + volumes: + - worker-ossec-api-configuration:/var/ossec/api/configuration + - worker-ossec-etc:/var/ossec/etc + - worker-ossec-logs:/var/ossec/logs + - worker-ossec-queue:/var/ossec/queue + - worker-ossec-var-multigroups:/var/ossec/var/multigroups + - worker-ossec-integrations:/var/ossec/integrations + - worker-ossec-active-response:/var/ossec/active-response/bin + - worker-ossec-agentless:/var/ossec/agentless + - worker-ossec-wodles:/var/ossec/wodles + - worker-filebeat-etc:/etc/filebeat + - worker-filebeat-var:/var/lib/filebeat + - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem + - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem + - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key + - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf + + elasticsearch: + image: amazon/opendistro-for-elasticsearch:1.9.0 + hostname: elasticsearch + restart: always + ports: + - "9200:9200" + environment: + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - elastic-data-1:/usr/share/elasticsearch/data + - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem + - ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key + - ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem + - ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + + elasticsearch-2: + image: amazon/opendistro-for-elasticsearch:1.9.0 + hostname: elasticsearch-2 + restart: always + environment: + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - elastic-data-2:/usr/share/elasticsearch/data + - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem + - ./production_cluster/ssl_certs/node2.key:/usr/share/elasticsearch/config/node2.key + - ./production_cluster/ssl_certs/node2.pem:/usr/share/elasticsearch/config/node2.pem + - ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + + elasticsearch-3: + image: amazon/opendistro-for-elasticsearch:1.9.0 + hostname: elasticsearch-3 + restart: always + environment: + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - elastic-data-3:/usr/share/elasticsearch/data + - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem + - ./production_cluster/ssl_certs/node3.key:/usr/share/elasticsearch/config/node3.key + - ./production_cluster/ssl_certs/node3.pem:/usr/share/elasticsearch/config/node3.pem + - ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + + kibana: + build: kibana-opendistro/ + image: wazuh-kibana-opendistro + hostname: kibana + restart: always + ports: + - 5601:5601 + environment: + - ELASTICSEARCH_USERNAME=admin + - ELASTICSEARCH_PASSWORD=SecretPassword + - SERVER_SSL_ENABLED=true + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem + - SERVER_SSL_KEY=/usr/share/kibana/config/key.pem + - WAZUH_API_URL="https://wazuh-master" + volumes: + - ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem + - ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem + + depends_on: + - elasticsearch + links: + - elasticsearch:elasticsearch + - wazuh-master:wazuh-master + + nginx: + image: nginx:stable + hostname: nginx + restart: always + ports: + - "80:80" + - "443:443" + - "1514:1514" + depends_on: + - wazuh-master + - wazuh-worker + - kibana + links: + - wazuh-master:wazuh-master + - wazuh-worker:wazuh-worker + - kibana:kibana + volumes: + - ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro + +volumes: + ossec-api-configuration: + ossec-etc: + ossec-logs: + ossec-queue: + ossec-var-multigroups: + ossec-integrations: + ossec-active-response: + ossec-agentless: + ossec-wodles: + filebeat-etc: + filebeat-var: + worker-ossec-api-configuration: + worker-ossec-etc: + worker-ossec-logs: + worker-ossec-queue: + worker-ossec-var-multigroups: + worker-ossec-integrations: + worker-ossec-active-response: + worker-ossec-agentless: + worker-ossec-wodles: + worker-filebeat-etc: + worker-filebeat-var: + elastic-data-1: + elastic-data-2: + elastic-data-3: diff --git a/production_cluster/elastic_opendistro/elasticsearch-node1.yml b/production_cluster/elastic_opendistro/elasticsearch-node1.yml new file mode 100644 index 00000000..c343818e --- /dev/null +++ b/production_cluster/elastic_opendistro/elasticsearch-node1.yml @@ -0,0 +1,31 @@ +network.host: 0.0.0.0 +cluster.name: wazuh-cluster +node.name: elasticsearch +discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3 +cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3 +bootstrap.memory_lock: true + +opendistro_security.ssl.transport.pemcert_filepath: node1.pem +opendistro_security.ssl.transport.pemkey_filepath: node1.key +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.transport.resolve_hostname: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: node1.pem +opendistro_security.ssl.http.pemkey_filepath: node1.key +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.allow_default_init_securityindex: true +opendistro_security.nodes_dn: + - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com' +opendistro_security.authcz.admin_dn: [] +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +#opendistro_security.audit.config.disabled_rest_categories: NONE +#opendistro_security.audit.config.disabled_transport_categories: NONE +opendistro_security.audit.log_request_body: false diff --git a/production_cluster/elastic_opendistro/elasticsearch-node2.yml b/production_cluster/elastic_opendistro/elasticsearch-node2.yml new file mode 100644 index 00000000..3e9bae49 --- /dev/null +++ b/production_cluster/elastic_opendistro/elasticsearch-node2.yml @@ -0,0 +1,31 @@ +network.host: 0.0.0.0 +cluster.name: wazuh-cluster +node.name: elasticsearch-2 +discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3 +cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3 +bootstrap.memory_lock: true + +opendistro_security.ssl.transport.pemcert_filepath: node2.pem +opendistro_security.ssl.transport.pemkey_filepath: node2.key +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.transport.resolve_hostname: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: node2.pem +opendistro_security.ssl.http.pemkey_filepath: node2.key +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.allow_default_init_securityindex: true +opendistro_security.nodes_dn: + - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com' +opendistro_security.authcz.admin_dn: [] +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +#opendistro_security.audit.config.disabled_rest_categories: NONE +#opendistro_security.audit.config.disabled_transport_categories: NONE +opendistro_security.audit.log_request_body: false diff --git a/production_cluster/elastic_opendistro/elasticsearch-node3.yml b/production_cluster/elastic_opendistro/elasticsearch-node3.yml new file mode 100644 index 00000000..574bce5c --- /dev/null +++ b/production_cluster/elastic_opendistro/elasticsearch-node3.yml @@ -0,0 +1,31 @@ +network.host: 0.0.0.0 +cluster.name: wazuh-cluster +node.name: elasticsearch-3 +discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3 +cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3 +bootstrap.memory_lock: true + +opendistro_security.ssl.transport.pemcert_filepath: node3.pem +opendistro_security.ssl.transport.pemkey_filepath: node3.key +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.transport.resolve_hostname: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: node3.pem +opendistro_security.ssl.http.pemkey_filepath: node3.key +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.allow_default_init_securityindex: true +opendistro_security.nodes_dn: + - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com' +opendistro_security.authcz.admin_dn: [] +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +#opendistro_security.audit.config.disabled_rest_categories: NONE +#opendistro_security.audit.config.disabled_transport_categories: NONE +opendistro_security.audit.log_request_body: false diff --git a/production_cluster/elastic_opendistro/internal_users.yml b/production_cluster/elastic_opendistro/internal_users.yml new file mode 100644 index 00000000..d9f05b34 --- /dev/null +++ b/production_cluster/elastic_opendistro/internal_users.yml @@ -0,0 +1,56 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" diff --git a/production_cluster/kibana_ssl/generate-self-signed-cert.sh b/production_cluster/kibana_ssl/generate-self-signed-cert.sh new file mode 100644 index 00000000..e006733f --- /dev/null +++ b/production_cluster/kibana_ssl/generate-self-signed-cert.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +cd $DIR + +if [ -s key.pem ] +then + echo "Certificate already exists" + exit +else + openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem +fi diff --git a/production_cluster/nginx/nginx.conf b/production_cluster/nginx/nginx.conf new file mode 100644 index 00000000..a02465fe --- /dev/null +++ b/production_cluster/nginx/nginx.conf @@ -0,0 +1,66 @@ +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + + keepalive_timeout 65; + + gzip on; + + # kibana UI + server { + listen 80; + listen [::]:80; + return 301 https://$host:443$request_uri; + } + + server { + listen 443 default_server ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + location / { + proxy_pass https://kibana:5601/; + proxy_ssl_verify off; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + } + } + +} + + + +# load balancer for Wazuh cluster +stream { + upstream mycluster { + hash $remote_addr consistent; + server wazuh-master:1514; + server wazuh-worker:1514; + } + server { + listen 1514; + proxy_pass mycluster; + } +} diff --git a/production_cluster/nginx/ssl/generate-self-signed-cert.sh b/production_cluster/nginx/ssl/generate-self-signed-cert.sh new file mode 100644 index 00000000..e006733f --- /dev/null +++ b/production_cluster/nginx/ssl/generate-self-signed-cert.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +cd $DIR + +if [ -s key.pem ] +then + echo "Certificate already exists" + exit +else + openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem +fi diff --git a/production_cluster/ssl_certs/certs.yml b/production_cluster/ssl_certs/certs.yml new file mode 100644 index 00000000..f7dad185 --- /dev/null +++ b/production_cluster/ssl_certs/certs.yml @@ -0,0 +1,30 @@ +ca: + root: + dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com + pkPassword: none + keysize: 2048 + file: root-ca.pem + intermediate: + dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com + keysize: 2048 + validityDays: 3650 + pkPassword: intermediate-ca-password + file: intermediate-ca.pem + +nodes: + - name: node1 + dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com + dns: + - elasticsearch + - name: node2 + dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com + dns: + - elasticsearch-2 + - name: node3 + dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com + dns: + - elasticsearch-3 + - name: filebeat + dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com + dns: + - wazuh diff --git a/production_cluster/wazuh_cluster/wazuh_manager.conf b/production_cluster/wazuh_cluster/wazuh_manager.conf new file mode 100644 index 00000000..740321bb --- /dev/null +++ b/production_cluster/wazuh_cluster/wazuh_manager.conf @@ -0,0 +1,349 @@ + + + yes + yes + no + no + no + smtp.example.wazuh.com + ossecm@example.wazuh.com + recipient@example.wazuh.com + 12 + alerts.log + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt + + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + yes + yes + 12h + yes + + + + no + 5m + 6h + yes + + + + no + trusty + xenial + bionic + focal + 1h + + + + + no + stretch + buster + 1h + + + + + no + 5 + 6 + 7 + 8 + 1h + + + + + yes + 1h + + + + + yes + 2010 + 1h + + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + .log$|.swp$ + + + /etc/ssl/private.key + + yes + yes + yes + yes + + + 10 + + + 100 + + + + yes + 5m + 1h + 10 + + + + + + 127.0.0.1 + ^localhost.localdomain$ + 4.2.2.1 + 4.2.2.2 + 208.67.220.220 + + + + disable-account + disable-account.sh + user + yes + + + + restart-ossec + restart-ossec.sh + + + + + firewall-drop + firewall-drop.sh + srcip + yes + + + + host-deny + host-deny.sh + srcip + yes + + + + route-null + route-null.sh + srcip + yes + + + + win_route-null + route-null.cmd + srcip + yes + + + + win_route-null-2012 + route-null-2012.cmd + srcip + yes + + + + netsh + netsh.cmd + srcip + yes + + + + netsh-win-2016 + netsh-win-2016.cmd + srcip + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + + + no + 1515 + no + yes + 0 + yes + no + yes + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + /var/ossec/etc/sslmanager.cert + /var/ossec/etc/sslmanager.key + no + + + + wazuh + manager + master + c98b6ha9b6169zc5f67rae55ae4z5647 + 1516 + 0.0.0.0 + + wazuh-master + + no + no + + + + + + + syslog + /var/ossec/logs/active-responses.log + + diff --git a/production_cluster/wazuh_cluster/wazuh_worker.conf b/production_cluster/wazuh_cluster/wazuh_worker.conf new file mode 100644 index 00000000..59462183 --- /dev/null +++ b/production_cluster/wazuh_cluster/wazuh_worker.conf @@ -0,0 +1,349 @@ + + + yes + yes + no + no + no + smtp.example.wazuh.com + ossecm@example.wazuh.com + recipient@example.wazuh.com + 12 + alerts.log + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt + + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + yes + yes + 12h + yes + + + + no + 5m + 6h + yes + + + + no + trusty + xenial + bionic + focal + 1h + + + + + no + stretch + buster + 1h + + + + + no + 5 + 6 + 7 + 8 + 1h + + + + + yes + 1h + + + + + yes + 2010 + 1h + + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + .log$|.swp$ + + + /etc/ssl/private.key + + yes + yes + yes + yes + + + 10 + + + 100 + + + + yes + 5m + 1h + 10 + + + + + + 127.0.0.1 + ^localhost.localdomain$ + 4.2.2.1 + 4.2.2.2 + 208.67.220.220 + + + + disable-account + disable-account.sh + user + yes + + + + restart-ossec + restart-ossec.sh + + + + + firewall-drop + firewall-drop.sh + srcip + yes + + + + host-deny + host-deny.sh + srcip + yes + + + + route-null + route-null.sh + srcip + yes + + + + win_route-null + route-null.cmd + srcip + yes + + + + win_route-null-2012 + route-null-2012.cmd + srcip + yes + + + + netsh + netsh.cmd + srcip + yes + + + + netsh-win-2016 + netsh-win-2016.cmd + srcip + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + + + no + 1515 + no + yes + 0 + yes + no + yes + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + /var/ossec/etc/sslmanager.cert + /var/ossec/etc/sslmanager.key + no + + + + wazuh + worker01 + worker + c98b6ha9b6169zc5f67rae55ae4z5647 + 1516 + 0.0.0.0 + + wazuh-master + + no + no + + + + + + + syslog + /var/ossec/logs/active-responses.log + + From 4cb18cc1890aed1a56deb4077e29c2dd18a9db10 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 2 Oct 2020 10:52:37 +0200 Subject: [PATCH 108/156] Bump sample ODFE cluster to 1.10.1 --- docker-compose.yml | 2 +- kibana-opendistro/Dockerfile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 4e859267..67fe1c5f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -31,7 +31,7 @@ services: - filebeat_var:/var/lib/filebeat elasticsearch: - image: amazon/opendistro-for-elasticsearch:1.9.0 + image: amazon/opendistro-for-elasticsearch:1.10.1 hostname: elasticsearch restart: always ports: diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 82631ca2..bdd80f9c 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -1,7 +1,7 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -FROM amazon/opendistro-for-elasticsearch-kibana:1.9.0 +FROM amazon/opendistro-for-elasticsearch-kibana:1.10.1 USER kibana -ARG ELASTIC_VERSION=7.8.0 +ARG ELASTIC_VERSION=7.9.1 ARG WAZUH_VERSION=4.0.0 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" From 9c94c43d6564d6ef4cd69c49fe73dcf620a91d02 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 2 Oct 2020 10:52:58 +0200 Subject: [PATCH 109/156] Fix Kibana status check --- kibana-opendistro/config/kibana_settings.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana-opendistro/config/kibana_settings.sh b/kibana-opendistro/config/kibana_settings.sh index 19cae116..b0c56e4d 100644 --- a/kibana-opendistro/config/kibana_settings.sh +++ b/kibana-opendistro/config/kibana_settings.sh @@ -29,7 +29,7 @@ if [ "$KIBANA_INDEX" != "" ]; then echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml fi -while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/login)" != "200" ]]; do +while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/app/login)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done From cc20d98ae5153be0447e2e584bbe638eda537e1e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 2 Oct 2020 17:09:11 +0200 Subject: [PATCH 110/156] Fix custom welcome for ODFE 1.10.1 --- .../custom_welcome/light_theme.style.css | 4349 +++++++++++++++++ .../custom_welcome/security-login.style.css | 118 - .../config/custom_welcome/template.js.hbs | 36 +- kibana-opendistro/config/welcome_wazuh.sh | 2 +- 4 files changed, 4368 insertions(+), 137 deletions(-) create mode 100644 kibana-opendistro/config/custom_welcome/light_theme.style.css delete mode 100644 kibana-opendistro/config/custom_welcome/security-login.style.css diff --git a/kibana-opendistro/config/custom_welcome/light_theme.style.css b/kibana-opendistro/config/custom_welcome/light_theme.style.css new file mode 100644 index 00000000..a1256a82 --- /dev/null +++ b/kibana-opendistro/config/custom_welcome/light_theme.style.css @@ -0,0 +1,4349 @@ +/*! + * Bootstrap v3.3.6 (http://getbootstrap.com) + * Copyright 2011-2015 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + */ +/* @notice + * This product bundles bootstrap@3.3.6 which is available under a + * "MIT" license. + * + * The MIT License (MIT) + * + * Copyright (c) 2011-2015 Twitter, Inc + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ +.container { + margin-right: auto; + margin-left: auto; + padding-left: 15px; + padding-right: 15px; +} +@media (min-width: 768px) { + .container { + width: 750px; + } +} +@media (min-width: 992px) { + .container { + width: 970px; + } +} +@media (min-width: 1200px) { + .container { + width: 1170px; + } +} +.container-fluid { + margin-right: auto; + margin-left: auto; + padding-left: 15px; + padding-right: 15px; +} +.row { + margin-left: -15px; + margin-right: -15px; +} +.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 { + position: relative; + min-height: 1px; + padding-left: 15px; + padding-right: 15px; +} +.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 { + float: left; +} +.col-xs-12 { + width: 100%; +} +.col-xs-11 { + width: 91.66666667%; +} +.col-xs-10 { + width: 83.33333333%; +} +.col-xs-9 { + width: 75%; +} +.col-xs-8 { + width: 66.66666667%; +} +.col-xs-7 { + width: 58.33333333%; +} +.col-xs-6 { + width: 50%; +} +.col-xs-5 { + width: 41.66666667%; +} +.col-xs-4 { + width: 33.33333333%; +} +.col-xs-3 { + width: 25%; +} +.col-xs-2 { + width: 16.66666667%; +} +.col-xs-1 { + width: 8.33333333%; +} +.col-xs-pull-12 { + right: 100%; +} +.col-xs-pull-11 { + right: 91.66666667%; +} +.col-xs-pull-10 { + right: 83.33333333%; +} +.col-xs-pull-9 { + right: 75%; +} +.col-xs-pull-8 { + right: 66.66666667%; +} +.col-xs-pull-7 { + right: 58.33333333%; +} +.col-xs-pull-6 { + right: 50%; +} +.col-xs-pull-5 { + right: 41.66666667%; +} +.col-xs-pull-4 { + right: 33.33333333%; +} +.col-xs-pull-3 { + right: 25%; +} +.col-xs-pull-2 { + right: 16.66666667%; +} +.col-xs-pull-1 { + right: 8.33333333%; +} +.col-xs-pull-0 { + right: auto; +} +.col-xs-push-12 { + left: 100%; +} +.col-xs-push-11 { + left: 91.66666667%; +} +.col-xs-push-10 { + left: 83.33333333%; +} +.col-xs-push-9 { + left: 75%; +} +.col-xs-push-8 { + left: 66.66666667%; +} +.col-xs-push-7 { + left: 58.33333333%; +} +.col-xs-push-6 { + left: 50%; +} +.col-xs-push-5 { + left: 41.66666667%; +} +.col-xs-push-4 { + left: 33.33333333%; +} +.col-xs-push-3 { + left: 25%; +} +.col-xs-push-2 { + left: 16.66666667%; +} +.col-xs-push-1 { + left: 8.33333333%; +} +.col-xs-push-0 { + left: auto; +} +.col-xs-offset-12 { + margin-left: 100%; +} +.col-xs-offset-11 { + margin-left: 91.66666667%; +} +.col-xs-offset-10 { + margin-left: 83.33333333%; +} +.col-xs-offset-9 { + margin-left: 75%; +} +.col-xs-offset-8 { + margin-left: 66.66666667%; +} +.col-xs-offset-7 { + margin-left: 58.33333333%; +} +.col-xs-offset-6 { + margin-left: 50%; +} +.col-xs-offset-5 { + margin-left: 41.66666667%; +} +.col-xs-offset-4 { + margin-left: 33.33333333%; +} +.col-xs-offset-3 { + margin-left: 25%; +} +.col-xs-offset-2 { + margin-left: 16.66666667%; +} +.col-xs-offset-1 { + margin-left: 8.33333333%; +} +.col-xs-offset-0 { + margin-left: 0%; +} +@media (min-width: 768px) { + .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 { + float: left; + } + .col-sm-12 { + width: 100%; + } + .col-sm-11 { + width: 91.66666667%; + } + .col-sm-10 { + width: 83.33333333%; + } + .col-sm-9 { + width: 75%; + } + .col-sm-8 { + width: 66.66666667%; + } + .col-sm-7 { + width: 58.33333333%; + } + .col-sm-6 { + width: 50%; + } + .col-sm-5 { + width: 41.66666667%; + } + .col-sm-4 { + width: 33.33333333%; + } + .col-sm-3 { + width: 25%; + } + .col-sm-2 { + width: 16.66666667%; + } + .col-sm-1 { + width: 8.33333333%; + } + .col-sm-pull-12 { + right: 100%; + } + .col-sm-pull-11 { + right: 91.66666667%; + } + .col-sm-pull-10 { + right: 83.33333333%; + } + .col-sm-pull-9 { + right: 75%; + } + .col-sm-pull-8 { + right: 66.66666667%; + } + .col-sm-pull-7 { + right: 58.33333333%; + } + .col-sm-pull-6 { + right: 50%; + } + .col-sm-pull-5 { + right: 41.66666667%; + } + .col-sm-pull-4 { + right: 33.33333333%; + } + .col-sm-pull-3 { + right: 25%; + } + .col-sm-pull-2 { + right: 16.66666667%; + } + .col-sm-pull-1 { + right: 8.33333333%; + } + .col-sm-pull-0 { + right: auto; + } + .col-sm-push-12 { + left: 100%; + } + .col-sm-push-11 { + left: 91.66666667%; + } + .col-sm-push-10 { + left: 83.33333333%; + } + .col-sm-push-9 { + left: 75%; + } + .col-sm-push-8 { + left: 66.66666667%; + } + .col-sm-push-7 { + left: 58.33333333%; + } + .col-sm-push-6 { + left: 50%; + } + .col-sm-push-5 { + left: 41.66666667%; + } + .col-sm-push-4 { + left: 33.33333333%; + } + .col-sm-push-3 { + left: 25%; + } + .col-sm-push-2 { + left: 16.66666667%; + } + .col-sm-push-1 { + left: 8.33333333%; + } + .col-sm-push-0 { + left: auto; + } + .col-sm-offset-12 { + margin-left: 100%; + } + .col-sm-offset-11 { + margin-left: 91.66666667%; + } + .col-sm-offset-10 { + margin-left: 83.33333333%; + } + .col-sm-offset-9 { + margin-left: 75%; + } + .col-sm-offset-8 { + margin-left: 66.66666667%; + } + .col-sm-offset-7 { + margin-left: 58.33333333%; + } + .col-sm-offset-6 { + margin-left: 50%; + } + .col-sm-offset-5 { + margin-left: 41.66666667%; + } + .col-sm-offset-4 { + margin-left: 33.33333333%; + } + .col-sm-offset-3 { + margin-left: 25%; + } + .col-sm-offset-2 { + margin-left: 16.66666667%; + } + .col-sm-offset-1 { + margin-left: 8.33333333%; + } + .col-sm-offset-0 { + margin-left: 0%; + } +} +@media (min-width: 992px) { + .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 { + float: left; + } + .col-md-12 { + width: 100%; + } + .col-md-11 { + width: 91.66666667%; + } + .col-md-10 { + width: 83.33333333%; + } + .col-md-9 { + width: 75%; + } + .col-md-8 { + width: 66.66666667%; + } + .col-md-7 { + width: 58.33333333%; + } + .col-md-6 { + width: 50%; + } + .col-md-5 { + width: 41.66666667%; + } + .col-md-4 { + width: 33.33333333%; + } + .col-md-3 { + width: 25%; + } + .col-md-2 { + width: 16.66666667%; + } + .col-md-1 { + width: 8.33333333%; + } + .col-md-pull-12 { + right: 100%; + } + .col-md-pull-11 { + right: 91.66666667%; + } + .col-md-pull-10 { + right: 83.33333333%; + } + .col-md-pull-9 { + right: 75%; + } + .col-md-pull-8 { + right: 66.66666667%; + } + .col-md-pull-7 { + right: 58.33333333%; + } + .col-md-pull-6 { + right: 50%; + } + .col-md-pull-5 { + right: 41.66666667%; + } + .col-md-pull-4 { + right: 33.33333333%; + } + .col-md-pull-3 { + right: 25%; + } + .col-md-pull-2 { + right: 16.66666667%; + } + .col-md-pull-1 { + right: 8.33333333%; + } + .col-md-pull-0 { + right: auto; + } + .col-md-push-12 { + left: 100%; + } + .col-md-push-11 { + left: 91.66666667%; + } + .col-md-push-10 { + left: 83.33333333%; + } + .col-md-push-9 { + left: 75%; + } + .col-md-push-8 { + left: 66.66666667%; + } + .col-md-push-7 { + left: 58.33333333%; + } + .col-md-push-6 { + left: 50%; + } + .col-md-push-5 { + left: 41.66666667%; + } + .col-md-push-4 { + left: 33.33333333%; + } + .col-md-push-3 { + left: 25%; + } + .col-md-push-2 { + left: 16.66666667%; + } + .col-md-push-1 { + left: 8.33333333%; + } + .col-md-push-0 { + left: auto; + } + .col-md-offset-12 { + margin-left: 100%; + } + .col-md-offset-11 { + margin-left: 91.66666667%; + } + .col-md-offset-10 { + margin-left: 83.33333333%; + } + .col-md-offset-9 { + margin-left: 75%; + } + .col-md-offset-8 { + margin-left: 66.66666667%; + } + .col-md-offset-7 { + margin-left: 58.33333333%; + } + .col-md-offset-6 { + margin-left: 50%; + } + .col-md-offset-5 { + margin-left: 41.66666667%; + } + .col-md-offset-4 { + margin-left: 33.33333333%; + } + .col-md-offset-3 { + margin-left: 25%; + } + .col-md-offset-2 { + margin-left: 16.66666667%; + } + .col-md-offset-1 { + margin-left: 8.33333333%; + } + .col-md-offset-0 { + margin-left: 0%; + } +} +@media (min-width: 1200px) { + .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 { + float: left; + } + .col-lg-12 { + width: 100%; + } + .col-lg-11 { + width: 91.66666667%; + } + .col-lg-10 { + width: 83.33333333%; + } + .col-lg-9 { + width: 75%; + } + .col-lg-8 { + width: 66.66666667%; + } + .col-lg-7 { + width: 58.33333333%; + } + .col-lg-6 { + width: 50%; + } + .col-lg-5 { + width: 41.66666667%; + } + .col-lg-4 { + width: 33.33333333%; + } + .col-lg-3 { + width: 25%; + } + .col-lg-2 { + width: 16.66666667%; + } + .col-lg-1 { + width: 8.33333333%; + } + .col-lg-pull-12 { + right: 100%; + } + .col-lg-pull-11 { + right: 91.66666667%; + } + .col-lg-pull-10 { + right: 83.33333333%; + } + .col-lg-pull-9 { + right: 75%; + } + .col-lg-pull-8 { + right: 66.66666667%; + } + .col-lg-pull-7 { + right: 58.33333333%; + } + .col-lg-pull-6 { + right: 50%; + } + .col-lg-pull-5 { + right: 41.66666667%; + } + .col-lg-pull-4 { + right: 33.33333333%; + } + .col-lg-pull-3 { + right: 25%; + } + .col-lg-pull-2 { + right: 16.66666667%; + } + .col-lg-pull-1 { + right: 8.33333333%; + } + .col-lg-pull-0 { + right: auto; + } + .col-lg-push-12 { + left: 100%; + } + .col-lg-push-11 { + left: 91.66666667%; + } + .col-lg-push-10 { + left: 83.33333333%; + } + .col-lg-push-9 { + left: 75%; + } + .col-lg-push-8 { + left: 66.66666667%; + } + .col-lg-push-7 { + left: 58.33333333%; + } + .col-lg-push-6 { + left: 50%; + } + .col-lg-push-5 { + left: 41.66666667%; + } + .col-lg-push-4 { + left: 33.33333333%; + } + .col-lg-push-3 { + left: 25%; + } + .col-lg-push-2 { + left: 16.66666667%; + } + .col-lg-push-1 { + left: 8.33333333%; + } + .col-lg-push-0 { + left: auto; + } + .col-lg-offset-12 { + margin-left: 100%; + } + .col-lg-offset-11 { + margin-left: 91.66666667%; + } + .col-lg-offset-10 { + margin-left: 83.33333333%; + } + .col-lg-offset-9 { + margin-left: 75%; + } + .col-lg-offset-8 { + margin-left: 66.66666667%; + } + .col-lg-offset-7 { + margin-left: 58.33333333%; + } + .col-lg-offset-6 { + margin-left: 50%; + } + .col-lg-offset-5 { + margin-left: 41.66666667%; + } + .col-lg-offset-4 { + margin-left: 33.33333333%; + } + .col-lg-offset-3 { + margin-left: 25%; + } + .col-lg-offset-2 { + margin-left: 16.66666667%; + } + .col-lg-offset-1 { + margin-left: 8.33333333%; + } + .col-lg-offset-0 { + margin-left: 0%; + } +} +.table { + width: 100%; + max-width: 100%; + margin-bottom: 20px; + font-size: 14px; +} +.table thead { + font-size: 12px; +} +.table > thead > tr > th, +.table > tbody > tr > th, +.table > tfoot > tr > th, +.table > thead > tr > td, +.table > tbody > tr > td, +.table > tfoot > tr > td { + padding: 8px; + line-height: 1.42857143; + vertical-align: top; + border-top: 1px solid #D3DAE6; +} +.table > thead > tr > th { + vertical-align: bottom; + border-bottom: 1px solid #D3DAE6; +} +.table > caption + thead > tr:first-child > th, +.table > colgroup + thead > tr:first-child > th, +.table > thead:first-child > tr:first-child > th, +.table > caption + thead > tr:first-child > td, +.table > colgroup + thead > tr:first-child > td, +.table > thead:first-child > tr:first-child > td { + border-top: 0; +} +.table > tbody + tbody { + border-top: 2px solid #D3DAE6; +} +.table .table { + background-color: #FFF; +} +.table-condensed > thead > tr > th, +.table-condensed > tbody > tr > th, +.table-condensed > tfoot > tr > th, +.table-condensed > thead > tr > td, +.table-condensed > tbody > tr > td, +.table-condensed > tfoot > tr > td { + padding: 5px; + font-size: 12px; +} +.table-bordered { + border: 1px solid #D3DAE6; +} +.table-bordered > thead > tr > th, +.table-bordered > tbody > tr > th, +.table-bordered > tfoot > tr > th, +.table-bordered > thead > tr > td, +.table-bordered > tbody > tr > td, +.table-bordered > tfoot > tr > td { + border: 1px solid #D3DAE6; +} +.table-bordered > thead > tr > th, +.table-bordered > thead > tr > td { + border-bottom-width: 2px; +} +.table-striped > tbody > tr:nth-of-type(odd) { + background-color: #D3DAE6; +} +.table-hover > tbody > tr:hover { + background-color: #D3DAE6; +} +table col[class*="col-"] { + position: static; + float: none; + display: table-column; +} +table td[class*="col-"], +table th[class*="col-"] { + position: static; + float: none; + display: table-cell; +} +.table > thead > tr > td.active, +.table > tbody > tr > td.active, +.table > tfoot > tr > td.active, +.table > thead > tr > th.active, +.table > tbody > tr > th.active, +.table > tfoot > tr > th.active, +.table > thead > tr.active > td, +.table > tbody > tr.active > td, +.table > tfoot > tr.active > td, +.table > thead > tr.active > th, +.table > tbody > tr.active > th, +.table > tfoot > tr.active > th { + background-color: #D3DAE6; +} +.table-hover > tbody > tr > td.active:hover, +.table-hover > tbody > tr > th.active:hover, +.table-hover > tbody > tr.active:hover > td, +.table-hover > tbody > tr:hover > .active, +.table-hover > tbody > tr.active:hover > th { + background-color: #c3ccdd; +} +.table > thead > tr > td.success, +.table > tbody > tr > td.success, +.table > tfoot > tr > td.success, +.table > thead > tr > th.success, +.table > tbody > tr > th.success, +.table > tfoot > tr > th.success, +.table > thead > tr.success > td, +.table > tbody > tr.success > td, +.table > tfoot > tr.success > td, +.table > thead > tr.success > th, +.table > tbody > tr.success > th, +.table > tfoot > tr.success > th { + background-color: #017D73; +} +.table-hover > tbody > tr > td.success:hover, +.table-hover > tbody > tr > th.success:hover, +.table-hover > tbody > tr.success:hover > td, +.table-hover > tbody > tr:hover > .success, +.table-hover > tbody > tr.success:hover > th { + background-color: #01645c; +} +.table > thead > tr > td.info, +.table > tbody > tr > td.info, +.table > tfoot > tr > td.info, +.table > thead > tr > th.info, +.table > tbody > tr > th.info, +.table > tfoot > tr > th.info, +.table > thead > tr.info > td, +.table > tbody > tr.info > td, +.table > tfoot > tr.info > td, +.table > thead > tr.info > th, +.table > tbody > tr.info > th, +.table > tfoot > tr.info > th { + background-color: #006BB4; +} +.table-hover > tbody > tr > td.info:hover, +.table-hover > tbody > tr > th.info:hover, +.table-hover > tbody > tr.info:hover > td, +.table-hover > tbody > tr:hover > .info, +.table-hover > tbody > tr.info:hover > th { + background-color: #005c9b; +} +.table > thead > tr > td.warning, +.table > tbody > tr > td.warning, +.table > tfoot > tr > td.warning, +.table > thead > tr > th.warning, +.table > tbody > tr > th.warning, +.table > tfoot > tr > th.warning, +.table > thead > tr.warning > td, +.table > tbody > tr.warning > td, +.table > tfoot > tr.warning > td, +.table > thead > tr.warning > th, +.table > tbody > tr.warning > th, +.table > tfoot > tr.warning > th { + background-color: #F5A700; +} +.table-hover > tbody > tr > td.warning:hover, +.table-hover > tbody > tr > th.warning:hover, +.table-hover > tbody > tr.warning:hover > td, +.table-hover > tbody > tr:hover > .warning, +.table-hover > tbody > tr.warning:hover > th { + background-color: #dc9600; +} +.table > thead > tr > td.danger, +.table > tbody > tr > td.danger, +.table > tfoot > tr > td.danger, +.table > thead > tr > th.danger, +.table > tbody > tr > th.danger, +.table > tfoot > tr > th.danger, +.table > thead > tr.danger > td, +.table > tbody > tr.danger > td, +.table > tfoot > tr.danger > td, +.table > thead > tr.danger > th, +.table > tbody > tr.danger > th, +.table > tfoot > tr.danger > th { + background-color: #BD271E; +} +.table-hover > tbody > tr > td.danger:hover, +.table-hover > tbody > tr > th.danger:hover, +.table-hover > tbody > tr.danger:hover > td, +.table-hover > tbody > tr:hover > .danger, +.table-hover > tbody > tr.danger:hover > th { + background-color: #a7221b; +} +.table-responsive { + overflow-x: auto; + min-height: 0.01%; +} +@media screen and (max-width: 767px) { + .table-responsive { + width: 100%; + margin-bottom: 15px; + overflow-y: hidden; + -ms-overflow-style: -ms-autohiding-scrollbar; + border: 1px solid #D3DAE6; + } + .table-responsive > .table { + margin-bottom: 0; + } + .table-responsive > .table > thead > tr > th, + .table-responsive > .table > tbody > tr > th, + .table-responsive > .table > tfoot > tr > th, + .table-responsive > .table > thead > tr > td, + .table-responsive > .table > tbody > tr > td, + .table-responsive > .table > tfoot > tr > td { + white-space: nowrap; + } + .table-responsive > .table-bordered { + border: 0; + } + .table-responsive > .table-bordered > thead > tr > th:first-child, + .table-responsive > .table-bordered > tbody > tr > th:first-child, + .table-responsive > .table-bordered > tfoot > tr > th:first-child, + .table-responsive > .table-bordered > thead > tr > td:first-child, + .table-responsive > .table-bordered > tbody > tr > td:first-child, + .table-responsive > .table-bordered > tfoot > tr > td:first-child { + border-left: 0; + } + .table-responsive > .table-bordered > thead > tr > th:last-child, + .table-responsive > .table-bordered > tbody > tr > th:last-child, + .table-responsive > .table-bordered > tfoot > tr > th:last-child, + .table-responsive > .table-bordered > thead > tr > td:last-child, + .table-responsive > .table-bordered > tbody > tr > td:last-child, + .table-responsive > .table-bordered > tfoot > tr > td:last-child { + border-right: 0; + } + .table-responsive > .table-bordered > tbody > tr:last-child > th, + .table-responsive > .table-bordered > tfoot > tr:last-child > th, + .table-responsive > .table-bordered > tbody > tr:last-child > td, + .table-responsive > .table-bordered > tfoot > tr:last-child > td { + border-bottom: 0; + } +} +.form-control { + display: block; + width: 100%; + height: 32px; + padding: 5px 15px; + font-size: 14px; + line-height: 1.42857143; + color: #343741; + background-color: #fafbfd; + background-image: none; + border: 1px solid #D3DAE6; + border-radius: 4px; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s; +} +.form-control:focus { + border-color: #006BB4; + outline: 0; + box-shadow: inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(0, 107, 180, 0.6); +} +.form-control::-moz-placeholder { + color: #98A2B3; + opacity: 1; +} +.form-control:-ms-input-placeholder { + color: #98A2B3; +} +.form-control::-webkit-input-placeholder { + color: #98A2B3; +} +.form-control::-ms-expand { + border: 0; + background-color: transparent; +} +.form-control[disabled], +.form-control[readonly], +fieldset[disabled] .form-control { + background-color: #D3DAE6; + opacity: 1; +} +.form-control[disabled], +fieldset[disabled] .form-control { + cursor: not-allowed; +} +textarea.form-control { + height: auto; +} +.form-group:not(:empty) { + margin-bottom: 15px; +} +.radio, +.checkbox { + position: relative; + display: block; + margin-top: 10px; + margin-bottom: 10px; +} +.radio label, +.checkbox label { + min-height: 20px; + padding-left: 20px; + margin-bottom: 0; + font-weight: normal; + cursor: pointer; +} +.radio input[type="radio"], +.radio-inline input[type="radio"], +.checkbox input[type="checkbox"], +.checkbox-inline input[type="checkbox"] { + position: absolute; + margin-left: -20px; + margin-top: 4px \9; +} +.radio + .radio, +.checkbox + .checkbox { + margin-top: -5px; +} +.radio-inline, +.checkbox-inline { + position: relative; + display: inline-block; + padding-left: 20px; + margin-bottom: 0; + vertical-align: middle; + font-weight: normal; + cursor: pointer; +} +.radio-inline + .radio-inline, +.checkbox-inline + .checkbox-inline { + margin-top: 0; + margin-left: 10px; +} +.radio-inline.disabled, +.checkbox-inline.disabled, +fieldset[disabled] .radio-inline, +fieldset[disabled] .checkbox-inline { + cursor: not-allowed; +} +.radio.disabled label, +.checkbox.disabled label, +fieldset[disabled] .radio label, +fieldset[disabled] .checkbox label { + cursor: not-allowed; +} +.form-control-static { + padding-top: 6px; + padding-bottom: 6px; + margin-bottom: 0; + min-height: 34px; +} +.form-control-static.input-lg, +.form-control-static.input-sm { + padding-left: 0; + padding-right: 0; +} +.input-sm { + height: 32px; + padding: 6px 9px; + font-size: 12px; + line-height: 1.5; + border-radius: 4px; +} +select.input-sm { + height: 32px; + line-height: 32px; +} +textarea.input-sm, +select[multiple].input-sm { + height: auto; +} +.form-group-sm .form-control { + height: 32px; + padding: 6px 9px; + font-size: 12px; + line-height: 1.5; + border-radius: 4px; +} +.form-group-sm select.form-control { + height: 32px; + line-height: 32px; +} +.form-group-sm textarea.form-control, +.form-group-sm select[multiple].form-control { + height: auto; +} +.form-group-sm .form-control-static { + height: 32px; + min-height: 32px; + padding: 7px 9px; + font-size: 12px; + line-height: 1.5; +} +.input-lg { + height: 62px; + padding: 18px 27px; + font-size: 18px; + line-height: 1.3333333; + border-radius: 4px; +} +select.input-lg { + height: 62px; + line-height: 62px; +} +textarea.input-lg, +select[multiple].input-lg { + height: auto; +} +.form-group-lg .form-control { + height: 62px; + padding: 18px 27px; + font-size: 18px; + line-height: 1.3333333; + border-radius: 4px; +} +.form-group-lg select.form-control { + height: 62px; + line-height: 62px; +} +.form-group-lg textarea.form-control, +.form-group-lg select[multiple].form-control { + height: auto; +} +.form-group-lg .form-control-static { + height: 62px; + min-height: 38px; + padding: 19px 27px; + font-size: 18px; + line-height: 1.3333333; +} +.has-feedback { + position: relative; +} +.has-feedback .form-control { + padding-right: 40px; +} +.form-control-feedback { + position: absolute; + top: 0; + right: 0; + z-index: 2; + display: block; + width: 32px; + height: 32px; + line-height: 32px; + text-align: center; + pointer-events: none; +} +.input-lg + .form-control-feedback, +.input-group-lg + .form-control-feedback, +.form-group-lg .form-control + .form-control-feedback { + width: 62px; + height: 62px; + line-height: 62px; +} +.input-sm + .form-control-feedback, +.input-group-sm + .form-control-feedback, +.form-group-sm .form-control + .form-control-feedback { + width: 32px; + height: 32px; + line-height: 32px; +} +.has-success .help-block, +.has-success .control-label, +.has-success .radio, +.has-success .checkbox, +.has-success .radio-inline, +.has-success .checkbox-inline, +.has-success.radio label, +.has-success.checkbox label, +.has-success.radio-inline label, +.has-success.checkbox-inline label { + color: #FFF; +} +.has-success .form-control { + border-color: #FFF; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); +} +.has-success .form-control:focus { + border-color: #e6e6e6; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #ffffff; +} +.has-success .input-group-addon { + color: #FFF; + border-color: #FFF; + background-color: #017D73; +} +.has-success .form-control-feedback { + color: #FFF; +} +.has-warning .help-block, +.has-warning .control-label, +.has-warning .radio, +.has-warning .checkbox, +.has-warning .radio-inline, +.has-warning .checkbox-inline, +.has-warning.radio label, +.has-warning.checkbox label, +.has-warning.radio-inline label, +.has-warning.checkbox-inline label { + color: #FFF; +} +.has-warning .form-control { + border-color: #FFF; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); +} +.has-warning .form-control:focus { + border-color: #e6e6e6; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #ffffff; +} +.has-warning .input-group-addon { + color: #FFF; + border-color: #FFF; + background-color: #F5A700; +} +.has-warning .form-control-feedback { + color: #FFF; +} +.has-error .help-block, +.has-error .control-label, +.has-error .radio, +.has-error .checkbox, +.has-error .radio-inline, +.has-error .checkbox-inline, +.has-error.radio label, +.has-error.checkbox label, +.has-error.radio-inline label, +.has-error.checkbox-inline label { + color: #FFF; +} +.has-error .form-control { + border-color: #FFF; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); +} +.has-error .form-control:focus { + border-color: #e6e6e6; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #ffffff; +} +.has-error .input-group-addon { + color: #FFF; + border-color: #FFF; + background-color: #BD271E; +} +.has-error .form-control-feedback { + color: #FFF; +} +.has-feedback label ~ .form-control-feedback { + top: 25px; +} +.has-feedback label.sr-only ~ .form-control-feedback { + top: 0; +} +.help-block { + display: block; + margin-top: 5px; + margin-bottom: 10px; + color: #6d7388; +} +@media (min-width: 768px) { + .form-inline .form-group { + display: inline-block; + margin-bottom: 0; + vertical-align: middle; + } + .form-inline .form-control { + display: inline-block; + width: auto; + vertical-align: middle; + } + .form-inline .form-control-static { + display: inline-block; + } + .form-inline .input-group { + display: inline-table; + vertical-align: middle; + } + .form-inline .input-group .input-group-addon, + .form-inline .input-group .form-control { + width: auto; + } + .form-inline .input-group > .form-control { + width: 100%; + } + .form-inline .control-label { + margin-bottom: 0; + vertical-align: middle; + } + .form-inline .radio, + .form-inline .checkbox { + display: inline-block; + margin-top: 0; + margin-bottom: 0; + vertical-align: middle; + } + .form-inline .radio label, + .form-inline .checkbox label { + padding-left: 0; + } + .form-inline .radio input[type="radio"], + .form-inline .checkbox input[type="checkbox"] { + position: relative; + margin-left: 0; + } + .form-inline .has-feedback .form-control-feedback { + top: 0; + } +} +.form-horizontal .radio, +.form-horizontal .checkbox, +.form-horizontal .radio-inline, +.form-horizontal .checkbox-inline { + margin-top: 0; + margin-bottom: 0; + padding-top: 6px; +} +.form-horizontal .radio, +.form-horizontal .checkbox { + min-height: 26px; +} +.form-horizontal .form-group { + margin-left: -15px; + margin-right: -15px; +} +@media (min-width: 768px) { + .form-horizontal .control-label { + text-align: right; + margin-bottom: 0; + padding-top: 6px; + } +} +.form-horizontal .has-feedback .form-control-feedback { + right: 15px; +} +@media (min-width: 768px) { + .form-horizontal .form-group-lg .control-label { + padding-top: 19px; + font-size: 18px; + } +} +@media (min-width: 768px) { + .form-horizontal .form-group-sm .control-label { + padding-top: 7px; + font-size: 12px; + } +} +.text-left { + text-align: left; +} +.text-right { + text-align: right; +} +.text-center { + text-align: center; +} +.text-muted { + color: #b2bac6; +} +.text-primary { + color: #343741; +} +a.text-primary:hover, +a.text-primary:focus { + color: #1d1f25; +} +.text-success { + color: #FFF; +} +a.text-success:hover, +a.text-success:focus { + color: #e6e6e6; +} +.text-info { + color: #FFF; +} +a.text-info:hover, +a.text-info:focus { + color: #e6e6e6; +} +.text-warning { + color: #FFF; +} +a.text-warning:hover, +a.text-warning:focus { + color: #e6e6e6; +} +.text-danger { + color: #FFF; +} +a.text-danger:hover, +a.text-danger:focus { + color: #e6e6e6; +} +.bg-info { + background-color: #006BB4; +} +a.bg-info:hover, +a.bg-info:focus { + background-color: #004d81; +} +.list-unstyled { + padding-left: 0; + list-style: none; +} +@media (min-width: 0) { + .dl-horizontal dt { + float: left; + width: 160px; + clear: left; + text-align: right; + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; + } + .dl-horizontal dd { + margin-left: 180px; + } +} +.fade { + opacity: 0; + transition: opacity 0.15s linear; +} +.fade.in { + opacity: 1; +} +.collapse { + display: none; +} +.collapse.in { + display: block; +} +tr.collapse.in { + display: table-row; +} +tbody.collapse.in { + display: table-row-group; +} +.collapsing { + position: relative; + height: 0; + overflow: hidden; + transition-property: height, visibility; + transition-duration: 0.35s; + transition-timing-function: ease; +} +/** + * ui/angular-ui-select depends upon these styles. Don't use them in your markup. + * Please use the UI Framework styles instead. + */ +.btn { + display: inline-block; + margin-bottom: 0; + font-weight: normal; + text-align: center; + vertical-align: middle; + touch-action: manipulation; + cursor: pointer; + background-image: none; + border: 1px solid transparent; + white-space: nowrap; + padding: 5px 15px; + font-size: 14px; + line-height: 1.42857143; + border-radius: 4px; + -webkit-user-select: none; + -moz-user-select: none; + -ms-user-select: none; + user-select: none; +} +.btn:focus, +.btn:active:focus, +.btn.active:focus, +.btn.focus, +.btn:active.focus, +.btn.active.focus { + box-shadow: 0 0 0 1px white, 0 0 0 2px #0079a5; + /* 3 */ +} +.btn:hover, +.btn:focus, +.btn.focus { + color: #FFF; + text-decoration: none; +} +.btn:active, +.btn.active { + outline: 0; + background-image: none; + box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125); +} +.btn.disabled, +.btn[disabled], +fieldset[disabled] .btn { + cursor: not-allowed; + opacity: 0.65; + filter: alpha(opacity=65); + box-shadow: none; +} +a.btn.disabled, +fieldset[disabled] a.btn { + pointer-events: none; +} +.btn-default { + color: #FFF; + background-color: #006BB4; + border-color: #006BB4; +} +.btn-default:focus, +.btn-default.focus { + color: #FFF; + background-color: #004d81; + border-color: #001f35; +} +.btn-default:hover { + color: #FFF; + background-color: #004d81; + border-color: #004777; +} +.btn-default:active, +.btn-default.active, +.open > .dropdown-toggle.btn-default { + color: #FFF; + background-color: #004d81; + border-color: #004777; +} +.btn-default:active:hover, +.btn-default.active:hover, +.open > .dropdown-toggle.btn-default:hover, +.btn-default:active:focus, +.btn-default.active:focus, +.open > .dropdown-toggle.btn-default:focus, +.btn-default:active.focus, +.btn-default.active.focus, +.open > .dropdown-toggle.btn-default.focus { + color: #FFF; + background-color: #00375d; + border-color: #001f35; +} +.btn-default:active, +.btn-default.active, +.open > .dropdown-toggle.btn-default { + background-image: none; +} +.btn-default.disabled:hover, +.btn-default[disabled]:hover, +fieldset[disabled] .btn-default:hover, +.btn-default.disabled:focus, +.btn-default[disabled]:focus, +fieldset[disabled] .btn-default:focus, +.btn-default.disabled.focus, +.btn-default[disabled].focus, +fieldset[disabled] .btn-default.focus { + background-color: #006BB4; + border-color: #006BB4; +} +.btn-default .badge { + color: #006BB4; + background-color: #FFF; +} +.btn-primary { + color: #FFF; + background-color: #006BB4; + border-color: #006BB4; +} +.btn-primary:focus, +.btn-primary.focus { + color: #FFF; + background-color: #004d81; + border-color: #001f35; +} +.btn-primary:hover { + color: #FFF; + background-color: #004d81; + border-color: #004777; +} +.btn-primary:active, +.btn-primary.active, +.open > .dropdown-toggle.btn-primary { + color: #FFF; + background-color: #004d81; + border-color: #004777; +} +.btn-primary:active:hover, +.btn-primary.active:hover, +.open > .dropdown-toggle.btn-primary:hover, +.btn-primary:active:focus, +.btn-primary.active:focus, +.open > .dropdown-toggle.btn-primary:focus, +.btn-primary:active.focus, +.btn-primary.active.focus, +.open > .dropdown-toggle.btn-primary.focus { + color: #FFF; + background-color: #00375d; + border-color: #001f35; +} +.btn-primary:active, +.btn-primary.active, +.open > .dropdown-toggle.btn-primary { + background-image: none; +} +.btn-primary.disabled:hover, +.btn-primary[disabled]:hover, +fieldset[disabled] .btn-primary:hover, +.btn-primary.disabled:focus, +.btn-primary[disabled]:focus, +fieldset[disabled] .btn-primary:focus, +.btn-primary.disabled.focus, +.btn-primary[disabled].focus, +fieldset[disabled] .btn-primary.focus { + background-color: #006BB4; + border-color: #006BB4; +} +.btn-primary .badge { + color: #006BB4; + background-color: #FFF; +} +.btn-xs { + padding: 1px 5px; + font-size: 12px; + line-height: 1.5; + border-radius: 4px; +} +.navbar { + position: relative; + min-height: 45px; + margin-bottom: 0px; + border: 1px solid transparent; +} +@media (min-width: 0) { + .navbar { + border-radius: 4px; + } +} +@media (min-width: 0) { + .navbar-header { + float: left; + } +} +.navbar-collapse { + overflow-x: visible; + padding-right: 10px; + padding-left: 10px; + border-top: 1px solid transparent; + box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1); + -webkit-overflow-scrolling: touch; +} +.navbar-collapse.in { + overflow-y: auto; +} +@media (min-width: 0) { + .navbar-collapse { + width: auto; + border-top: 0; + box-shadow: none; + } + .navbar-collapse.collapse { + display: block !important; + height: auto !important; + padding-bottom: 0; + overflow: visible !important; + } + .navbar-collapse.in { + overflow-y: visible; + } + .navbar-fixed-top .navbar-collapse, + .navbar-fixed-bottom .navbar-collapse { + padding-left: 0; + padding-right: 0; + } +} +.navbar-fixed-top .navbar-collapse, +.navbar-fixed-bottom .navbar-collapse { + max-height: 340px; +} +@media (max-device-width: 480px) and (orientation: landscape) { + .navbar-fixed-top .navbar-collapse, + .navbar-fixed-bottom .navbar-collapse { + max-height: 200px; + } +} +.container > .navbar-header, +.container-fluid > .navbar-header, +.container > .navbar-collapse, +.container-fluid > .navbar-collapse { + margin-right: -10px; + margin-left: -10px; +} +@media (min-width: 0) { + .container > .navbar-header, + .container-fluid > .navbar-header, + .container > .navbar-collapse, + .container-fluid > .navbar-collapse { + margin-right: 0; + margin-left: 0; + } +} +.navbar-fixed-top, +.navbar-fixed-bottom { + position: fixed; + right: 0; + left: 0; + z-index: 1050; +} +@media (min-width: 0) { + .navbar-fixed-top, + .navbar-fixed-bottom { + border-radius: 0; + } +} +.navbar-fixed-top { + top: 0; + border-width: 0 0 1px; +} +.navbar-fixed-bottom { + bottom: 0; + margin-bottom: 0; + border-width: 1px 0 0; +} +.navbar-brand { + float: left; + padding: 12.5px 10px; + font-size: 18px; + line-height: 20px; + height: 45px; +} +.navbar-brand:hover, +.navbar-brand:focus { + text-decoration: none; +} +.navbar-brand > img { + display: block; +} +@media (min-width: 0) { + .navbar > .container .navbar-brand, + .navbar > .container-fluid .navbar-brand { + margin-left: -10px; + } +} +.navbar-toggle { + position: relative; + float: right; + margin-right: 10px; + padding: 9px 10px; + margin-top: 5.5px; + margin-bottom: 5.5px; + background-color: transparent; + background-image: none; + border: 1px solid transparent; + border-radius: 4px; +} +.navbar-toggle:focus { + outline: 0; +} +.navbar-toggle .icon-bar { + display: block; + width: 22px; + height: 2px; + border-radius: 1px; +} +.navbar-toggle .icon-bar + .icon-bar { + margin-top: 4px; +} +@media (min-width: 0) { + .navbar-toggle { + display: none; + } +} +.navbar-nav { + margin: 6.25px -10px; +} +.navbar-nav > li > a { + padding-top: 10px; + padding-bottom: 10px; + line-height: 20px; +} +@media (max-width: -1) { + .navbar-nav .open .dropdown-menu { + position: static; + float: none; + width: auto; + margin-top: 0; + background-color: transparent; + border: 0; + box-shadow: none; + } + .navbar-nav .open .dropdown-menu > li > a, + .navbar-nav .open .dropdown-menu .dropdown-header { + padding: 5px 15px 5px 25px; + } + .navbar-nav .open .dropdown-menu > li > a { + line-height: 20px; + } + .navbar-nav .open .dropdown-menu > li > a:hover, + .navbar-nav .open .dropdown-menu > li > a:focus { + background-image: none; + } +} +@media (min-width: 0) { + .navbar-nav { + float: left; + margin: 0; + } + .navbar-nav > li { + float: left; + } + .navbar-nav > li > a { + padding-top: 12.5px; + padding-bottom: 12.5px; + } +} +.navbar-form { + margin-left: -10px; + margin-right: -10px; + padding: 10px 10px; + border-top: 1px solid transparent; + border-bottom: 1px solid transparent; + box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1); + margin-top: 6.5px; + margin-bottom: 6.5px; +} +@media (min-width: 768px) { + .navbar-form .form-group { + display: inline-block; + margin-bottom: 0; + vertical-align: middle; + } + .navbar-form .form-control { + display: inline-block; + width: auto; + vertical-align: middle; + } + .navbar-form .form-control-static { + display: inline-block; + } + .navbar-form .input-group { + display: inline-table; + vertical-align: middle; + } + .navbar-form .input-group .input-group-addon, + .navbar-form .input-group .form-control { + width: auto; + } + .navbar-form .input-group > .form-control { + width: 100%; + } + .navbar-form .control-label { + margin-bottom: 0; + vertical-align: middle; + } + .navbar-form .radio, + .navbar-form .checkbox { + display: inline-block; + margin-top: 0; + margin-bottom: 0; + vertical-align: middle; + } + .navbar-form .radio label, + .navbar-form .checkbox label { + padding-left: 0; + } + .navbar-form .radio input[type="radio"], + .navbar-form .checkbox input[type="checkbox"] { + position: relative; + margin-left: 0; + } + .navbar-form .has-feedback .form-control-feedback { + top: 0; + } +} +@media (max-width: -1) { + .navbar-form .form-group { + margin-bottom: 5px; + } + .navbar-form .form-group:last-child { + margin-bottom: 0; + } +} +@media (min-width: 0) { + .navbar-form { + width: auto; + border: 0; + margin-left: 0; + margin-right: 0; + padding-top: 0; + padding-bottom: 0; + box-shadow: none; + } +} +.navbar-nav > li > .dropdown-menu { + margin-top: 0; + border-top-right-radius: 0; + border-top-left-radius: 0; +} +.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu { + margin-bottom: 0; + border-top-right-radius: 4px; + border-top-left-radius: 4px; + border-bottom-right-radius: 0; + border-bottom-left-radius: 0; +} +.navbar-text { + margin-top: 12.5px; + margin-bottom: 12.5px; +} +@media (min-width: 0) { + .navbar-text { + float: left; + margin-left: 10px; + margin-right: 10px; + } +} +@media (min-width: 0) { + .navbar-left { + float: left !important; + } + .navbar-right { + float: right !important; + margin-right: -10px; + } + .navbar-right ~ .navbar-right { + margin-right: 0; + } +} +.navbar-default { + background-color: #F5F7FA; + border-color: transparent; +} +.navbar-default .navbar-brand { + color: #69707D; +} +.navbar-default .navbar-brand:hover, +.navbar-default .navbar-brand:focus { + color: #69707D; + background-color: transparent; +} +.navbar-default .navbar-text { + color: #69707D; +} +.navbar-default .navbar-nav > li > a { + color: #69707D; +} +.navbar-default .navbar-nav > li > a:hover, +.navbar-default .navbar-nav > li > a:focus { + color: #69707D; + background-color: transparent; +} +.navbar-default .navbar-nav > .active > a, +.navbar-default .navbar-nav > .active > a:hover, +.navbar-default .navbar-nav > .active > a:focus { + color: #343741; + background-color: transparent; +} +.navbar-default .navbar-nav > .disabled > a, +.navbar-default .navbar-nav > .disabled > a:hover, +.navbar-default .navbar-nav > .disabled > a:focus { + color: #69707D; + background-color: transparent; +} +.navbar-default .navbar-toggle { + border-color: #d3dce9; +} +.navbar-default .navbar-toggle:hover, +.navbar-default .navbar-toggle:focus { + background-color: #d3dce9; +} +.navbar-default .navbar-toggle .icon-bar { + background-color: #FFF; +} +.navbar-default .navbar-collapse, +.navbar-default .navbar-form { + border-color: transparent; +} +.navbar-default .navbar-nav > .open > a, +.navbar-default .navbar-nav > .open > a:hover, +.navbar-default .navbar-nav > .open > a:focus { + background-color: transparent; + color: #343741; +} +@media (max-width: -1) { + .navbar-default .navbar-nav .open .dropdown-menu > li > a { + color: #69707D; + } + .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, + .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus { + color: #69707D; + background-color: transparent; + } + .navbar-default .navbar-nav .open .dropdown-menu > .active > a, + .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover, + .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus { + color: #343741; + background-color: transparent; + } + .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a, + .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover, + .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus { + color: #69707D; + background-color: transparent; + } +} +.navbar-default .navbar-link { + color: #69707D; +} +.navbar-default .navbar-link:hover { + color: #69707D; +} +.navbar-inverse { + background-color: #343741; + border-color: #1d1f25; +} +.navbar-inverse .navbar-brand { + color: #FFF; +} +.navbar-inverse .navbar-brand:hover, +.navbar-inverse .navbar-brand:focus { + color: #FFF; + background-color: #4b4f5d; +} +.navbar-inverse .navbar-text { + color: #FFF; +} +.navbar-inverse .navbar-nav > li > a { + color: #D3DAE6; +} +.navbar-inverse .navbar-nav > li > a:hover, +.navbar-inverse .navbar-nav > li > a:focus { + color: #FFF; + background-color: #61677a; +} +.navbar-inverse .navbar-nav > .active > a, +.navbar-inverse .navbar-nav > .active > a:hover, +.navbar-inverse .navbar-nav > .active > a:focus { + color: #FFF; + background-color: #69707D; +} +.navbar-inverse .navbar-nav > .disabled > a, +.navbar-inverse .navbar-nav > .disabled > a:hover, +.navbar-inverse .navbar-nav > .disabled > a:focus { + color: #b2bac6; + background-color: transparent; +} +.navbar-inverse .navbar-toggle { + border-color: #1d1f25; +} +.navbar-inverse .navbar-toggle:hover, +.navbar-inverse .navbar-toggle:focus { + background-color: #1d1f25; +} +.navbar-inverse .navbar-toggle .icon-bar { + background-color: #FFF; +} +.navbar-inverse .navbar-collapse, +.navbar-inverse .navbar-form { + border-color: #24262d; +} +.navbar-inverse .navbar-nav > .open > a, +.navbar-inverse .navbar-nav > .open > a:hover, +.navbar-inverse .navbar-nav > .open > a:focus { + background-color: #69707D; + color: #FFF; +} +@media (max-width: -1) { + .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header { + border-color: #1d1f25; + } + .navbar-inverse .navbar-nav .open .dropdown-menu .divider { + background-color: #1d1f25; + } + .navbar-inverse .navbar-nav .open .dropdown-menu > li > a { + color: #D3DAE6; + } + .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, + .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus { + color: #FFF; + background-color: #61677a; + } + .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, + .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, + .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus { + color: #FFF; + background-color: #69707D; + } + .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, + .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, + .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus { + color: #b2bac6; + background-color: transparent; + } +} +.navbar-inverse .navbar-link { + color: #D3DAE6; +} +.navbar-inverse .navbar-link:hover { + color: #FFF; +} +.close { + float: right; + font-size: 21px; + font-weight: bold; + line-height: 1; + color: #000; + text-shadow: none; + opacity: 0.2; + filter: alpha(opacity=20); +} +.close:hover, +.close:focus { + color: #000; + text-decoration: none; + cursor: pointer; + opacity: 0.5; + filter: alpha(opacity=50); +} +button.close { + padding: 0; + cursor: pointer; + background: transparent; + border: 0; + -webkit-appearance: none; +} +.modal-open { + overflow: hidden; +} +.modal { + display: none; + overflow: hidden; + position: fixed; + top: 0; + right: 0; + bottom: 0; + left: 0; + z-index: 1070; + -webkit-overflow-scrolling: touch; + outline: 0; +} +.modal.fade .modal-dialog { + transform: translate(0, -25%); + transition: transform 0.3s ease-out; +} +.modal.in .modal-dialog { + transform: translate(0, 0); +} +.modal-open .modal { + overflow-x: hidden; + overflow-y: auto; +} +.modal-dialog { + position: relative; + width: auto; + margin: 10px; +} +.modal-content { + position: relative; + background-color: #FFF; + border: 1px solid #98A2B3; + border: 1px solid rgba(0, 0, 0, 0.2); + border-radius: 4px; + box-shadow: 0 3px 9px rgba(0, 0, 0, 0.5); + background-clip: padding-box; + outline: 0; +} +.modal-backdrop { + position: fixed; + top: 0; + right: 0; + bottom: 0; + left: 0; + z-index: 1060; + background-color: #000; +} +.modal-backdrop.fade { + opacity: 0; + filter: alpha(opacity=0); +} +.modal-backdrop.in { + opacity: 0.5; + filter: alpha(opacity=50); +} +.modal-header { + padding: 15px; + border-bottom: 1px solid #e5e5e5; +} +.modal-header .close { + margin-top: -2px; +} +.modal-title { + margin: 0; + line-height: 1.42857143; +} +.modal-body { + position: relative; + padding: 15px; +} +.modal-footer { + padding: 15px; + text-align: right; + border-top: 1px solid #e5e5e5; +} +.modal-scrollbar-measure { + position: absolute; + top: -9999px; + width: 50px; + height: 50px; + overflow: scroll; +} +@media (min-width: 768px) { + .modal-dialog { + width: 600px; + margin: 30px auto; + } + .modal-content { + box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); + } + .modal-sm { + width: 300px; + } +} +@media (min-width: 992px) { + .modal-lg { + width: 900px; + } +} +@-webkit-keyframes progress-bar-stripes { + from { + background-position: 40px 0; + } + to { + background-position: 0 0; + } +} +@keyframes progress-bar-stripes { + from { + background-position: 40px 0; + } + to { + background-position: 0 0; + } +} +.progress { + overflow: hidden; + height: 20px; + margin-bottom: 20px; + background-color: #b8bec8; + border-radius: 4px; + box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1); +} +.progress-bar { + float: left; + width: 0%; + height: 100%; + font-size: 12px; + line-height: 20px; + color: #FFF; + text-align: center; + background-color: #54B399; + transition: width 0.6s ease; +} +.progress-striped .progress-bar, +.progress-bar-striped { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); + background-size: 40px 40px; +} +.progress.active .progress-bar, +.progress-bar.active { + -webkit-animation: progress-bar-stripes 2s linear infinite; + animation: progress-bar-stripes 2s linear infinite; +} +.progress-bar-success { + background-color: #017D73; +} +.progress-striped .progress-bar-success { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); +} +.progress-bar-info { + background-color: #006BB4; +} +.progress-striped .progress-bar-info { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); +} +.progress-bar-warning { + background-color: #F5A700; +} +.progress-striped .progress-bar-warning { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); +} +.progress-bar-danger { + background-color: #BD271E; +} +.progress-striped .progress-bar-danger { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); +} +.list-group { + margin-bottom: 20px; + padding-left: 0; +} +.list-group-item { + position: relative; + display: block; + padding: 10px 15px; + margin-bottom: -1px; + background-color: #FFF; + border: 1px solid #D3DAE6; +} +.list-group-item:first-child { + border-top-right-radius: 4px; + border-top-left-radius: 4px; +} +.list-group-item:last-child { + margin-bottom: 0; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; +} +.list-group-item--noBorder { + border-top: 0; +} +a.list-group-item, +button.list-group-item { + color: #69707D; +} +a.list-group-item .list-group-item-heading, +button.list-group-item .list-group-item-heading { + color: #343741; +} +a.list-group-item:hover, +button.list-group-item:hover, +a.list-group-item:focus, +button.list-group-item:focus { + text-decoration: none; + color: #69707D; + background-color: #F5F7FA; +} +button.list-group-item { + width: 100%; + text-align: left; +} +.list-group-item.disabled, +.list-group-item.disabled:hover, +.list-group-item.disabled:focus { + background-color: #D3DAE6; + color: #b2bac6; + cursor: not-allowed; +} +.list-group-item.disabled .list-group-item-heading, +.list-group-item.disabled:hover .list-group-item-heading, +.list-group-item.disabled:focus .list-group-item-heading { + color: inherit; +} +.list-group-item.disabled .list-group-item-text, +.list-group-item.disabled:hover .list-group-item-text, +.list-group-item.disabled:focus .list-group-item-text { + color: #b2bac6; +} +.list-group-item.active, +.list-group-item.active:hover, +.list-group-item.active:focus { + z-index: 2; + color: #343741; + background-color: #343741; + border-color: #343741; +} +.list-group-item.active .list-group-item-heading, +.list-group-item.active:hover .list-group-item-heading, +.list-group-item.active:focus .list-group-item-heading, +.list-group-item.active .list-group-item-heading > small, +.list-group-item.active:hover .list-group-item-heading > small, +.list-group-item.active:focus .list-group-item-heading > small, +.list-group-item.active .list-group-item-heading > .small, +.list-group-item.active:hover .list-group-item-heading > .small, +.list-group-item.active:focus .list-group-item-heading > .small { + color: inherit; +} +.list-group-item.active .list-group-item-text, +.list-group-item.active:hover .list-group-item-text, +.list-group-item.active:focus .list-group-item-text { + color: #969bab; +} +.list-group-item-success { + color: #FFF; + background-color: #017D73; +} +a.list-group-item-success, +button.list-group-item-success { + color: #FFF; +} +a.list-group-item-success .list-group-item-heading, +button.list-group-item-success .list-group-item-heading { + color: inherit; +} +a.list-group-item-success:hover, +button.list-group-item-success:hover, +a.list-group-item-success:focus, +button.list-group-item-success:focus { + color: #FFF; + background-color: #01645c; +} +a.list-group-item-success.active, +button.list-group-item-success.active, +a.list-group-item-success.active:hover, +button.list-group-item-success.active:hover, +a.list-group-item-success.active:focus, +button.list-group-item-success.active:focus { + color: #fff; + background-color: #FFF; + border-color: #FFF; +} +.list-group-item-info { + color: #FFF; + background-color: #006BB4; +} +a.list-group-item-info, +button.list-group-item-info { + color: #FFF; +} +a.list-group-item-info .list-group-item-heading, +button.list-group-item-info .list-group-item-heading { + color: inherit; +} +a.list-group-item-info:hover, +button.list-group-item-info:hover, +a.list-group-item-info:focus, +button.list-group-item-info:focus { + color: #FFF; + background-color: #005c9b; +} +a.list-group-item-info.active, +button.list-group-item-info.active, +a.list-group-item-info.active:hover, +button.list-group-item-info.active:hover, +a.list-group-item-info.active:focus, +button.list-group-item-info.active:focus { + color: #fff; + background-color: #FFF; + border-color: #FFF; +} +.list-group-item-warning { + color: #FFF; + background-color: #F5A700; +} +a.list-group-item-warning, +button.list-group-item-warning { + color: #FFF; +} +a.list-group-item-warning .list-group-item-heading, +button.list-group-item-warning .list-group-item-heading { + color: inherit; +} +a.list-group-item-warning:hover, +button.list-group-item-warning:hover, +a.list-group-item-warning:focus, +button.list-group-item-warning:focus { + color: #FFF; + background-color: #dc9600; +} +a.list-group-item-warning.active, +button.list-group-item-warning.active, +a.list-group-item-warning.active:hover, +button.list-group-item-warning.active:hover, +a.list-group-item-warning.active:focus, +button.list-group-item-warning.active:focus { + color: #fff; + background-color: #FFF; + border-color: #FFF; +} +.list-group-item-danger { + color: #FFF; + background-color: #BD271E; +} +a.list-group-item-danger, +button.list-group-item-danger { + color: #FFF; +} +a.list-group-item-danger .list-group-item-heading, +button.list-group-item-danger .list-group-item-heading { + color: inherit; +} +a.list-group-item-danger:hover, +button.list-group-item-danger:hover, +a.list-group-item-danger:focus, +button.list-group-item-danger:focus { + color: #FFF; + background-color: #a7221b; +} +a.list-group-item-danger.active, +button.list-group-item-danger.active, +a.list-group-item-danger.active:hover, +button.list-group-item-danger.active:hover, +a.list-group-item-danger.active:focus, +button.list-group-item-danger.active:focus { + color: #fff; + background-color: #FFF; + border-color: #FFF; +} +.list-group-item-heading { + margin-top: 0; + margin-bottom: 5px; +} +.list-group-item-text { + margin-bottom: 0; + line-height: 1.3; +} +.nav { + margin-bottom: 0; + padding-left: 0; + list-style: none; +} +.nav > li { + position: relative; + display: block; +} +.nav > li > a { + position: relative; + display: block; + padding: 10px 15px; +} +.nav > li > a:hover, +.nav > li > a:focus { + text-decoration: none; + background-color: #D3DAE6; +} +.nav > li.disabled > a { + color: #b2bac6; +} +.nav > li.disabled > a:hover, +.nav > li.disabled > a:focus { + color: #b2bac6; + text-decoration: none; + background-color: transparent; + cursor: not-allowed; +} +.nav .open > a, +.nav .open > a:hover, +.nav .open > a:focus { + background-color: #D3DAE6; + border-color: #006BB4; +} +.nav .nav-divider { + height: 1px; + margin: 9px 0; + overflow: hidden; + background-color: #e5e5e5; +} +.nav > li > a > img { + max-width: none; +} +.nav-tabs { + border-bottom: 1px solid #D3DAE6; +} +.nav-tabs > li { + float: left; + margin-bottom: -1px; +} +.nav-tabs > li > a { + margin-right: 2px; + line-height: 1.42857143; + border: 1px solid transparent; + border-radius: 4px 4px 0 0; +} +.nav-tabs > li > a:hover { + border-color: #D3DAE6; + background-color: #FFF; +} +.nav-tabs > li.active > a, +.nav-tabs > li.active > a:hover, +.nav-tabs > li.active > a:focus { + color: #343741; + background-color: #FFF; + border: 1px solid #D3DAE6; + border-bottom-color: transparent; + cursor: default; +} +.nav-tabs.nav-justified { + width: 100%; + border-bottom: 0; +} +.nav-tabs.nav-justified > li { + float: none; +} +.nav-tabs.nav-justified > li > a { + text-align: center; + margin-bottom: 5px; +} +.nav-tabs.nav-justified > .dropdown .dropdown-menu { + top: auto; + left: auto; +} +@media (min-width: 768px) { + .nav-tabs.nav-justified > li { + display: table-cell; + width: 1%; + } + .nav-tabs.nav-justified > li > a { + margin-bottom: 0; + } +} +.nav-tabs.nav-justified > li > a { + margin-right: 0; + border-radius: 4px; +} +.nav-tabs.nav-justified > .active > a, +.nav-tabs.nav-justified > .active > a:hover, +.nav-tabs.nav-justified > .active > a:focus { + border: 1px solid #FFF; +} +@media (min-width: 768px) { + .nav-tabs.nav-justified > li > a { + border-bottom: 1px solid #FFF; + border-radius: 4px 4px 0 0; + } + .nav-tabs.nav-justified > .active > a, + .nav-tabs.nav-justified > .active > a:hover, + .nav-tabs.nav-justified > .active > a:focus { + border-bottom-color: #FFF; + } +} +.nav-pills > li { + float: left; +} +.nav-pills > li > a { + border-radius: 4px; +} +.nav-pills > li + li { + margin-left: 2px; +} +.nav-pills > li.active > a, +.nav-pills > li.active > a:hover, +.nav-pills > li.active > a:focus { + color: #FFF; + background-color: #006BB4; +} +.nav-stacked > li { + float: none; +} +.nav-stacked > li + li { + margin-top: 2px; + margin-left: 0; +} +.nav-justified { + width: 100%; +} +.nav-justified > li { + float: none; +} +.nav-justified > li > a { + text-align: center; + margin-bottom: 5px; +} +.nav-justified > .dropdown .dropdown-menu { + top: auto; + left: auto; +} +@media (min-width: 768px) { + .nav-justified > li { + display: table-cell; + width: 1%; + } + .nav-justified > li > a { + margin-bottom: 0; + } +} +.nav-tabs-justified { + border-bottom: 0; +} +.nav-tabs-justified > li > a { + margin-right: 0; + border-radius: 4px; +} +.nav-tabs-justified > .active > a, +.nav-tabs-justified > .active > a:hover, +.nav-tabs-justified > .active > a:focus { + border: 1px solid #FFF; +} +@media (min-width: 768px) { + .nav-tabs-justified > li > a { + border-bottom: 1px solid #FFF; + border-radius: 4px 4px 0 0; + } + .nav-tabs-justified > .active > a, + .nav-tabs-justified > .active > a:hover, + .nav-tabs-justified > .active > a:focus { + border-bottom-color: #FFF; + } +} +.tab-content > .tab-pane { + display: none; +} +.tab-content > .active { + display: block; +} +.nav-tabs .dropdown-menu { + margin-top: -1px; + border-top-right-radius: 0; + border-top-left-radius: 0; +} +.alert { + padding: 15px; + margin-bottom: 20px; + border: 1px solid transparent; + border-radius: 4px; +} +.alert h4 { + margin-top: 0; + color: inherit; +} +.alert .alert-link { + font-weight: bold; +} +.alert > p, +.alert > ul { + margin-bottom: 0; +} +.alert > p + p { + margin-top: 5px; +} +.alert-dismissable, +.alert-dismissible { + padding-right: 35px; +} +.alert-dismissable .close, +.alert-dismissible .close { + position: relative; + top: -2px; + right: -21px; + color: inherit; +} +.alert-success { + background-color: #017D73; + border-color: #014a44; + color: #FFF; +} +.alert-success hr { + border-top-color: #00312d; +} +.alert-success .alert-link { + color: #e6e6e6; +} +.alert-info { + background-color: #006BB4; + border-color: #004d81; + color: #FFF; +} +.alert-info hr { + border-top-color: #003e68; +} +.alert-info .alert-link { + color: #e6e6e6; +} +.alert-warning { + background-color: #F5A700; + border-color: #c28400; + color: #FFF; +} +.alert-warning hr { + border-top-color: #a97300; +} +.alert-warning .alert-link { + color: #e6e6e6; +} +.alert-danger { + background-color: #BD271E; + border-color: #911e17; + color: #FFF; +} +.alert-danger hr { + border-top-color: #7b1914; +} +.alert-danger .alert-link { + color: #e6e6e6; +} +.bsTooltip { + position: absolute; + z-index: 1040; + display: block; + font-family: 'Open Sans', Helvetica, Arial, sans-serif; + font-style: normal; + font-weight: normal; + letter-spacing: normal; + line-break: auto; + line-height: 1.42857143; + text-align: left; + text-align: start; + text-decoration: none; + text-shadow: none; + text-transform: none; + white-space: normal; + word-break: normal; + word-spacing: normal; + word-wrap: normal; + font-size: 12px; + opacity: 0; + filter: alpha(opacity=0); +} +.bsTooltip.in { + opacity: 0.8; + filter: alpha(opacity=80); +} +.bsTooltip.top { + margin-top: -3px; + padding: 5px 0; +} +.bsTooltip.right { + margin-left: 3px; + padding: 0 5px; +} +.bsTooltip.bottom { + margin-top: 3px; + padding: 5px 0; +} +.bsTooltip.left { + margin-left: -3px; + padding: 0 5px; +} +.bsTooltip-inner { + max-width: 200px; + padding: 3px 8px; + color: #fff; + text-align: center; + background-color: #000; + border-radius: 4px; +} +.bsTooltip-arrow { + position: absolute; + width: 0; + height: 0; + border-color: transparent; + border-style: solid; +} +.bsTooltip.top .bsTooltip-arrow { + bottom: 0; + left: 50%; + margin-left: -5px; + border-width: 5px 5px 0; + border-top-color: #000; +} +.bsTooltip.top-left .bsTooltip-arrow { + bottom: 0; + right: 5px; + margin-bottom: -5px; + border-width: 5px 5px 0; + border-top-color: #000; +} +.bsTooltip.top-right .bsTooltip-arrow { + bottom: 0; + left: 5px; + margin-bottom: -5px; + border-width: 5px 5px 0; + border-top-color: #000; +} +.bsTooltip.right .bsTooltip-arrow { + top: 50%; + left: 0; + margin-top: -5px; + border-width: 5px 5px 5px 0; + border-right-color: #000; +} +.bsTooltip.left .bsTooltip-arrow { + top: 50%; + right: 0; + margin-top: -5px; + border-width: 5px 0 5px 5px; + border-left-color: #000; +} +.bsTooltip.bottom .bsTooltip-arrow { + top: 0; + left: 50%; + margin-left: -5px; + border-width: 0 5px 5px; + border-bottom-color: #000; +} +.bsTooltip.bottom-left .bsTooltip-arrow { + top: 0; + right: 5px; + margin-top: -5px; + border-width: 0 5px 5px; + border-bottom-color: #000; +} +.bsTooltip.bottom-right .bsTooltip-arrow { + top: 0; + left: 5px; + margin-top: -5px; + border-width: 0 5px 5px; + border-bottom-color: #000; +} +.visible-xs, +.visible-sm, +.visible-md, +.visible-lg { + display: none !important; +} +.visible-xs-block, +.visible-xs-inline, +.visible-xs-inline-block, +.visible-sm-block, +.visible-sm-inline, +.visible-sm-inline-block, +.visible-md-block, +.visible-md-inline, +.visible-md-inline-block, +.visible-lg-block, +.visible-lg-inline, +.visible-lg-inline-block { + display: none !important; +} +@media (max-width: 767px) { + .visible-xs { + display: block !important; + } + table.visible-xs { + display: table !important; + } + tr.visible-xs { + display: table-row !important; + } + th.visible-xs, + td.visible-xs { + display: table-cell !important; + } +} +@media (max-width: 767px) { + .visible-xs-block { + display: block !important; + } +} +@media (max-width: 767px) { + .visible-xs-inline { + display: inline !important; + } +} +@media (max-width: 767px) { + .visible-xs-inline-block { + display: inline-block !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .visible-sm { + display: block !important; + } + table.visible-sm { + display: table !important; + } + tr.visible-sm { + display: table-row !important; + } + th.visible-sm, + td.visible-sm { + display: table-cell !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .visible-sm-block { + display: block !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .visible-sm-inline { + display: inline !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .visible-sm-inline-block { + display: inline-block !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .visible-md { + display: block !important; + } + table.visible-md { + display: table !important; + } + tr.visible-md { + display: table-row !important; + } + th.visible-md, + td.visible-md { + display: table-cell !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .visible-md-block { + display: block !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .visible-md-inline { + display: inline !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .visible-md-inline-block { + display: inline-block !important; + } +} +@media (min-width: 1200px) { + .visible-lg { + display: block !important; + } + table.visible-lg { + display: table !important; + } + tr.visible-lg { + display: table-row !important; + } + th.visible-lg, + td.visible-lg { + display: table-cell !important; + } +} +@media (min-width: 1200px) { + .visible-lg-block { + display: block !important; + } +} +@media (min-width: 1200px) { + .visible-lg-inline { + display: inline !important; + } +} +@media (min-width: 1200px) { + .visible-lg-inline-block { + display: inline-block !important; + } +} +@media (max-width: 767px) { + .hidden-xs { + display: none !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .hidden-sm { + display: none !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .hidden-md { + display: none !important; + } +} +@media (min-width: 1200px) { + .hidden-lg { + display: none !important; + } +} +.visible-print { + display: none !important; +} +@media print { + .visible-print { + display: block !important; + } + table.visible-print { + display: table !important; + } + tr.visible-print { + display: table-row !important; + } + th.visible-print, + td.visible-print { + display: table-cell !important; + } +} +.visible-print-block { + display: none !important; +} +@media print { + .visible-print-block { + display: block !important; + } +} +.visible-print-inline { + display: none !important; +} +@media print { + .visible-print-inline { + display: inline !important; + } +} +.visible-print-inline-block { + display: none !important; +} +@media print { + .visible-print-inline-block { + display: inline-block !important; + } +} +@media print { + .hidden-print { + display: none !important; + } +} +.caret { + display: inline-block; + width: 0; + height: 0; + margin-left: 2px; + vertical-align: middle; + border-top: 4px dashed; + border-top: 4px solid \9; + border-right: 4px solid transparent; + border-left: 4px solid transparent; +} +.dropup, +.dropdown { + position: relative; +} +.dropdown-toggle:focus { + outline: 0; +} +.dropdown-menu { + position: absolute; + top: 100%; + left: 0; + z-index: 1000; + display: none; + float: left; + min-width: 160px; + padding: 5px 0; + margin: 2px 0 0; + list-style: none; + font-size: 14px; + text-align: left; + background-color: #FFF; + border: 1px solid #D3DAE6; + border-radius: 4px; + box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.1); + background-clip: padding-box; +} +.dropdown-menu.pull-right { + right: 0; + left: auto; +} +.dropdown-menu .divider { + height: 1px; + margin: 9px 0; + overflow: hidden; + background-color: #D3DAE6; +} +.dropdown-menu > li > a, +.dropdown-menu > li > button { + display: block; + padding: 3px 20px; + clear: both; + font-weight: normal; + line-height: 1.42857143; + color: #7b7b7b; + white-space: nowrap; +} +.dropdown-menu > li > button { + -webkit-appearance: none; + -moz-appearance: none; + appearance: none; + background: none; + border: none; + width: 100%; + text-align: left; +} +.dropdown-menu > li > a:hover, +.dropdown-menu > li > button:hover, +.dropdown-menu > li > a:focus, +.dropdown-menu > li > button:focus { + text-decoration: none; + color: #FFF; + background-color: #343741; +} +.dropdown-menu > .active > button, +.dropdown-menu > .active > a, +.dropdown-menu > .active > button:hover, +.dropdown-menu > .active > a:hover, +.dropdown-menu > .active > button:focus, +.dropdown-menu > .active > a:focus { + color: #FFF; + text-decoration: none; + outline: 0; + background-color: #343741; +} +.dropdown-menu > .disabled > a, +.dropdown-menu > .disabled > a:hover, +.dropdown-menu > .disabled > a:focus { + color: #98A2B3; +} +.dropdown-menu > .disabled > a:hover, +.dropdown-menu > .disabled > a:focus { + text-decoration: none; + background-color: transparent; + background-image: none; + filter: progid:DXImageTransform.Microsoft.gradient(enabled = false); + cursor: not-allowed; +} +.open > .dropdown-menu { + display: block; +} +.open > a { + outline: 0; +} +.dropdown-menu-right { + left: auto; + right: 0; +} +.dropdown-menu-left { + left: 0; + right: auto; +} +.dropdown-header { + display: block; + padding: 3px 20px; + font-size: 12px; + line-height: 1.42857143; + color: #98A2B3; + white-space: nowrap; +} +.dropdown-backdrop { + position: fixed; + left: 0; + right: 0; + bottom: 0; + top: 0; + z-index: 990; +} +.pull-right > .dropdown-menu { + right: 0; + left: auto; +} +.dropup .caret, +.navbar-fixed-bottom .dropdown .caret { + border-top: 0; + border-bottom: 4px dashed; + border-bottom: 4px solid \9; + content: ""; +} +.dropup .dropdown-menu, +.navbar-fixed-bottom .dropdown .dropdown-menu { + top: auto; + bottom: 100%; + margin-bottom: 2px; +} +@media (min-width: 0) { + .navbar-right .dropdown-menu { + left: auto; + right: 0; + } + .navbar-right .dropdown-menu-left { + left: 0; + right: auto; + } +} +.input-group { + position: relative; + display: table; + border-collapse: separate; +} +.input-group[class*="col-"] { + float: none; + padding-left: 0; + padding-right: 0; +} +.input-group .form-control { + position: relative; + z-index: 2; + float: left; + width: 100%; + margin-bottom: 0; +} +.input-group .form-control:focus { + z-index: 3; +} +.input-group-lg > .form-control, +.input-group-lg > .input-group-addon { + height: 62px; + padding: 18px 27px; + font-size: 18px; + line-height: 1.3333333; + border-radius: 4px; +} +select.input-group-lg > .form-control, +select.input-group-lg > .input-group-addon { + height: 62px; + line-height: 62px; +} +textarea.input-group-lg > .form-control, +textarea.input-group-lg > .input-group-addon, +select[multiple].input-group-lg > .form-control, +select[multiple].input-group-lg > .input-group-addon { + height: auto; +} +.input-group-sm > .form-control, +.input-group-sm > .input-group-addon { + height: 32px; + padding: 6px 9px; + font-size: 12px; + line-height: 1.5; + border-radius: 4px; +} +select.input-group-sm > .form-control, +select.input-group-sm > .input-group-addon { + height: 32px; + line-height: 32px; +} +textarea.input-group-sm > .form-control, +textarea.input-group-sm > .input-group-addon, +select[multiple].input-group-sm > .form-control, +select[multiple].input-group-sm > .input-group-addon { + height: auto; +} +.input-group-addon, +.input-group .form-control { + display: table-cell; +} +.input-group-addon:not(:first-child):not(:last-child), +.input-group .form-control:not(:first-child):not(:last-child) { + border-radius: 0; +} +.input-group-addon { + width: 1%; + white-space: nowrap; + vertical-align: middle; +} +.input-group-addon { + padding: 5px 15px; + font-size: 14px; + font-weight: normal; + line-height: 1; + color: #343741; + text-align: center; + background-color: #D3DAE6; + border: 1px solid #D3DAE6; + border-radius: 4px; +} +.input-group-addon.input-sm { + padding: 6px 9px; + font-size: 12px; + border-radius: 4px; +} +.input-group-addon.input-lg { + padding: 18px 27px; + font-size: 18px; + border-radius: 4px; +} +.input-group-addon input[type="radio"], +.input-group-addon input[type="checkbox"] { + margin-top: 0; +} +.input-group .form-control:first-child, +.input-group-addon:first-child { + border-bottom-right-radius: 0; + border-top-right-radius: 0; +} +.input-group-addon:first-child { + border-right: 0; +} +.input-group .form-control:last-child, +.input-group-addon:last-child { + border-bottom-left-radius: 0; + border-top-left-radius: 0; +} +.input-group-addon:last-child { + border-left: 0; +} +.pagination { + display: inline-block; + padding-left: 0; + margin: 20px 0; + border-radius: 4px; +} +.pagination > li { + display: inline; +} +.pagination > li > a, +.pagination > li > span { + position: relative; + float: left; + padding: 5px 15px; + line-height: 1.42857143; + text-decoration: none; + color: #006BB4; + background-color: transparent; + border: 1px solid transparent; + margin-left: -1px; +} +.pagination > li:first-child > a, +.pagination > li:first-child > span { + margin-left: 0; + border-bottom-left-radius: 4px; + border-top-left-radius: 4px; +} +.pagination > li:last-child > a, +.pagination > li:last-child > span { + border-bottom-right-radius: 4px; + border-top-right-radius: 4px; +} +.pagination > li > a:hover, +.pagination > li > span:hover, +.pagination > li > a:focus, +.pagination > li > span:focus { + z-index: 2; + color: #006BB4; + background-color: rgba(0, 0, 0, 0); + border-color: transparent; +} +.pagination > .active > a, +.pagination > .active > span, +.pagination > .active > a:hover, +.pagination > .active > span:hover, +.pagination > .active > a:focus, +.pagination > .active > span:focus { + z-index: 3; + color: #343741; + background-color: rgba(0, 0, 0, 0); + border-color: transparent; + cursor: default; +} +.pagination > .disabled > span, +.pagination > .disabled > span:hover, +.pagination > .disabled > span:focus, +.pagination > .disabled > a, +.pagination > .disabled > a:hover, +.pagination > .disabled > a:focus { + color: #343741; + background-color: rgba(38, 38, 38, 0); + border-color: transparent; + cursor: not-allowed; +} +.pagination-lg > li > a, +.pagination-lg > li > span { + padding: 18px 27px; + font-size: 18px; + line-height: 1.3333333; +} +.pagination-lg > li:first-child > a, +.pagination-lg > li:first-child > span { + border-bottom-left-radius: 4px; + border-top-left-radius: 4px; +} +.pagination-lg > li:last-child > a, +.pagination-lg > li:last-child > span { + border-bottom-right-radius: 4px; + border-top-right-radius: 4px; +} +.pagination-sm > li > a, +.pagination-sm > li > span { + padding: 6px 9px; + font-size: 12px; + line-height: 1.5; +} +.pagination-sm > li:first-child > a, +.pagination-sm > li:first-child > span { + border-bottom-left-radius: 4px; + border-top-left-radius: 4px; +} +.pagination-sm > li:last-child > a, +.pagination-sm > li:last-child > span { + border-bottom-right-radius: 4px; + border-top-right-radius: 4px; +} +.pager { + padding-left: 0; + margin: 20px 0; + list-style: none; + text-align: center; +} +.pager li { + display: inline; +} +.pager li > a, +.pager li > span { + display: inline-block; + padding: 5px 14px; + background-color: transparent; + border: 1px solid transparent; + border-radius: 0; +} +.pager li > a:hover, +.pager li > a:focus { + text-decoration: none; + background-color: rgba(0, 0, 0, 0); +} +.pager .next > a, +.pager .next > span { + float: right; +} +.pager .previous > a, +.pager .previous > span { + float: left; +} +.pager .disabled > a, +.pager .disabled > a:hover, +.pager .disabled > a:focus, +.pager .disabled > span { + color: #FFF; + background-color: transparent; + cursor: not-allowed; +} +.label { + display: inline; + padding: .2em .6em .3em; + font-size: 75%; + font-weight: bold; + line-height: 1; + color: #FFF; + text-align: center; + white-space: nowrap; + vertical-align: baseline; + border-radius: .25em; +} +a.label:hover, +a.label:focus { + color: #FFF; + text-decoration: none; + cursor: pointer; +} +.label:empty { + display: none; +} +.label-default { + background-color: #006BB4; +} +.label-default[href]:hover, +.label-default[href]:focus { + background-color: #004d81; +} +.label-primary { + background-color: #343741; +} +.label-primary[href]:hover, +.label-primary[href]:focus { + background-color: #1d1f25; +} +.label-success { + background-color: #017D73; +} +.label-success[href]:hover, +.label-success[href]:focus { + background-color: #014a44; +} +.label-info { + background-color: #006BB4; +} +.label-info[href]:hover, +.label-info[href]:focus { + background-color: #004d81; +} +.label-warning { + background-color: #F5A700; +} +.label-warning[href]:hover, +.label-warning[href]:focus { + background-color: #c28400; +} +.label-danger { + background-color: #BD271E; +} +.label-danger[href]:hover, +.label-danger[href]:focus { + background-color: #911e17; +} +.panel { + margin-bottom: 20px; + background-color: #FFF; + border: 1px solid transparent; + border-radius: 4px; + box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05); +} +.panel-body { + padding: 15px; +} +.panel-heading { + padding: 10px 15px; + border-bottom: 1px solid transparent; + border-top-right-radius: 3px; + border-top-left-radius: 3px; +} +.panel-heading > .dropdown .dropdown-toggle { + color: inherit; +} +.panel-title { + margin-top: 0; + margin-bottom: 0; + font-size: 16px; + color: inherit; +} +.panel-title > a, +.panel-title > small, +.panel-title > .small, +.panel-title > small > a, +.panel-title > .small > a { + color: inherit; +} +.panel-footer { + padding: 10px 15px; + background-color: #F5F7FA; + border-top: 1px solid #D3DAE6; + border-bottom-right-radius: 3px; + border-bottom-left-radius: 3px; +} +.panel > .list-group, +.panel > .panel-collapse > .list-group { + margin-bottom: 0; +} +.panel > .list-group .list-group-item, +.panel > .panel-collapse > .list-group .list-group-item { + border-width: 1px 0; + border-radius: 0; +} +.panel > .list-group:first-child .list-group-item:first-child, +.panel > .panel-collapse > .list-group:first-child .list-group-item:first-child { + border-top: 0; + border-top-right-radius: 3px; + border-top-left-radius: 3px; +} +.panel > .list-group:last-child .list-group-item:last-child, +.panel > .panel-collapse > .list-group:last-child .list-group-item:last-child { + border-bottom: 0; + border-bottom-right-radius: 3px; + border-bottom-left-radius: 3px; +} +.panel > .panel-heading + .panel-collapse > .list-group .list-group-item:first-child { + border-top-right-radius: 0; + border-top-left-radius: 0; +} +.panel-heading + .list-group .list-group-item:first-child { + border-top-width: 0; +} +.list-group + .panel-footer { + border-top-width: 0; +} +.panel > .table, +.panel > .table-responsive > .table, +.panel > .panel-collapse > .table { + margin-bottom: 0; +} +.panel > .table caption, +.panel > .table-responsive > .table caption, +.panel > .panel-collapse > .table caption { + padding-left: 15px; + padding-right: 15px; +} +.panel > .table:first-child, +.panel > .table-responsive:first-child > .table:first-child { + border-top-right-radius: 3px; + border-top-left-radius: 3px; +} +.panel > .table:first-child > thead:first-child > tr:first-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child, +.panel > .table:first-child > tbody:first-child > tr:first-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child { + border-top-left-radius: 3px; + border-top-right-radius: 3px; +} +.panel > .table:first-child > thead:first-child > tr:first-child td:first-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child, +.panel > .table:first-child > tbody:first-child > tr:first-child td:first-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child, +.panel > .table:first-child > thead:first-child > tr:first-child th:first-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child, +.panel > .table:first-child > tbody:first-child > tr:first-child th:first-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child { + border-top-left-radius: 3px; +} +.panel > .table:first-child > thead:first-child > tr:first-child td:last-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child, +.panel > .table:first-child > tbody:first-child > tr:first-child td:last-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child, +.panel > .table:first-child > thead:first-child > tr:first-child th:last-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child, +.panel > .table:first-child > tbody:first-child > tr:first-child th:last-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child { + border-top-right-radius: 3px; +} +.panel > .table:last-child, +.panel > .table-responsive:last-child > .table:last-child { + border-bottom-right-radius: 3px; + border-bottom-left-radius: 3px; +} +.panel > .table:last-child > tbody:last-child > tr:last-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child { + border-bottom-left-radius: 3px; + border-bottom-right-radius: 3px; +} +.panel > .table:last-child > tbody:last-child > tr:last-child td:first-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child, +.panel > .table:last-child > tbody:last-child > tr:last-child th:first-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child { + border-bottom-left-radius: 3px; +} +.panel > .table:last-child > tbody:last-child > tr:last-child td:last-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child, +.panel > .table:last-child > tbody:last-child > tr:last-child th:last-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child { + border-bottom-right-radius: 3px; +} +.panel > .panel-body + .table, +.panel > .panel-body + .table-responsive, +.panel > .table + .panel-body, +.panel > .table-responsive + .panel-body { + border-top: 1px solid #D3DAE6; +} +.panel > .table > tbody:first-child > tr:first-child th, +.panel > .table > tbody:first-child > tr:first-child td { + border-top: 0; +} +.panel > .table-bordered, +.panel > .table-responsive > .table-bordered { + border: 0; +} +.panel > .table-bordered > thead > tr > th:first-child, +.panel > .table-responsive > .table-bordered > thead > tr > th:first-child, +.panel > .table-bordered > tbody > tr > th:first-child, +.panel > .table-responsive > .table-bordered > tbody > tr > th:first-child, +.panel > .table-bordered > tfoot > tr > th:first-child, +.panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child, +.panel > .table-bordered > thead > tr > td:first-child, +.panel > .table-responsive > .table-bordered > thead > tr > td:first-child, +.panel > .table-bordered > tbody > tr > td:first-child, +.panel > .table-responsive > .table-bordered > tbody > tr > td:first-child, +.panel > .table-bordered > tfoot > tr > td:first-child, +.panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child { + border-left: 0; +} +.panel > .table-bordered > thead > tr > th:last-child, +.panel > .table-responsive > .table-bordered > thead > tr > th:last-child, +.panel > .table-bordered > tbody > tr > th:last-child, +.panel > .table-responsive > .table-bordered > tbody > tr > th:last-child, +.panel > .table-bordered > tfoot > tr > th:last-child, +.panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child, +.panel > .table-bordered > thead > tr > td:last-child, +.panel > .table-responsive > .table-bordered > thead > tr > td:last-child, +.panel > .table-bordered > tbody > tr > td:last-child, +.panel > .table-responsive > .table-bordered > tbody > tr > td:last-child, +.panel > .table-bordered > tfoot > tr > td:last-child, +.panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child { + border-right: 0; +} +.panel > .table-bordered > thead > tr:first-child > td, +.panel > .table-responsive > .table-bordered > thead > tr:first-child > td, +.panel > .table-bordered > tbody > tr:first-child > td, +.panel > .table-responsive > .table-bordered > tbody > tr:first-child > td, +.panel > .table-bordered > thead > tr:first-child > th, +.panel > .table-responsive > .table-bordered > thead > tr:first-child > th, +.panel > .table-bordered > tbody > tr:first-child > th, +.panel > .table-responsive > .table-bordered > tbody > tr:first-child > th { + border-bottom: 0; +} +.panel > .table-bordered > tbody > tr:last-child > td, +.panel > .table-responsive > .table-bordered > tbody > tr:last-child > td, +.panel > .table-bordered > tfoot > tr:last-child > td, +.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td, +.panel > .table-bordered > tbody > tr:last-child > th, +.panel > .table-responsive > .table-bordered > tbody > tr:last-child > th, +.panel > .table-bordered > tfoot > tr:last-child > th, +.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th { + border-bottom: 0; +} +.panel > .table-responsive { + border: 0; + margin-bottom: 0; +} +.panel-group { + margin-bottom: 20px; +} +.panel-group .panel { + margin-bottom: 0; + border-radius: 4px; +} +.panel-group .panel + .panel { + margin-top: 5px; +} +.panel-group .panel-heading { + border-bottom: 0; +} +.panel-group .panel-heading + .panel-collapse > .panel-body, +.panel-group .panel-heading + .panel-collapse > .list-group { + border-top: 1px solid #D3DAE6; +} +.panel-group .panel-footer { + border-top: 0; +} +.panel-group .panel-footer + .panel-collapse .panel-body { + border-bottom: 1px solid #D3DAE6; +} +.panel-default { + border-color: #D3DAE6; +} +.panel-default > .panel-heading { + color: #7b7b7b; + background-color: #F5F7FA; + border-color: #D3DAE6; +} +.panel-default > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #D3DAE6; +} +.panel-default > .panel-heading .badge { + color: #F5F7FA; + background-color: #7b7b7b; +} +.panel-default > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #D3DAE6; +} +.panel-primary { + border-color: #343741; +} +.panel-primary > .panel-heading { + color: #FFF; + background-color: #343741; + border-color: #343741; +} +.panel-primary > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #343741; +} +.panel-primary > .panel-heading .badge { + color: #343741; + background-color: #FFF; +} +.panel-primary > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #343741; +} +.panel-success { + border-color: #014a44; +} +.panel-success > .panel-heading { + color: #FFF; + background-color: #017D73; + border-color: #014a44; +} +.panel-success > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #014a44; +} +.panel-success > .panel-heading .badge { + color: #017D73; + background-color: #FFF; +} +.panel-success > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #014a44; +} +.panel-info { + border-color: #004d81; +} +.panel-info > .panel-heading { + color: #FFF; + background-color: #006BB4; + border-color: #004d81; +} +.panel-info > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #004d81; +} +.panel-info > .panel-heading .badge { + color: #006BB4; + background-color: #FFF; +} +.panel-info > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #004d81; +} +.panel-warning { + border-color: #c28400; +} +.panel-warning > .panel-heading { + color: #FFF; + background-color: #F5A700; + border-color: #c28400; +} +.panel-warning > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #c28400; +} +.panel-warning > .panel-heading .badge { + color: #F5A700; + background-color: #FFF; +} +.panel-warning > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #c28400; +} +.panel-danger { + border-color: #911e17; +} +.panel-danger > .panel-heading { + color: #FFF; + background-color: #BD271E; + border-color: #911e17; +} +.panel-danger > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #911e17; +} +.panel-danger > .panel-heading .badge { + color: #BD271E; + background-color: #FFF; +} +.panel-danger > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #911e17; +} +.popover { + position: absolute; + top: 0; + left: 0; + z-index: 1010; + display: none; + max-width: 276px; + padding: 1px; + font-family: 'Open Sans', Helvetica, Arial, sans-serif; + font-style: normal; + font-weight: normal; + letter-spacing: normal; + line-break: auto; + line-height: 1.42857143; + text-align: left; + text-align: start; + text-decoration: none; + text-shadow: none; + text-transform: none; + white-space: normal; + word-break: normal; + word-spacing: normal; + word-wrap: normal; + font-size: 14px; + background-color: #FFF; + background-clip: padding-box; + border: 1px solid #D3DAE6; + border-radius: 4px; + box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.1); +} +.popover.top { + margin-top: -10px; +} +.popover.right { + margin-left: 10px; +} +.popover.bottom { + margin-top: 10px; +} +.popover.left { + margin-left: -10px; +} +.popover-title { + margin: 0; + padding: 8px 14px; + font-size: 14px; + background-color: #f7f7f7; + border-bottom: 1px solid #ebebeb; + border-radius: 3px 3px 0 0; +} +.popover-content { + padding: 9px 14px; +} +.popover > .arrow, +.popover > .arrow:after { + position: absolute; + display: block; + width: 0; + height: 0; + border-color: transparent; + border-style: solid; +} +.popover > .arrow { + border-width: 11px; +} +.popover > .arrow:after { + border-width: 10px; + content: ""; +} +.popover.top > .arrow { + left: 50%; + margin-left: -11px; + border-bottom-width: 0; + border-top-color: #92a3c1; + border-top-color: #d3dae6; + bottom: -11px; +} +.popover.top > .arrow:after { + content: " "; + bottom: 1px; + margin-left: -10px; + border-bottom-width: 0; + border-top-color: #FFF; +} +.popover.right > .arrow { + top: 50%; + left: -11px; + margin-top: -11px; + border-left-width: 0; + border-right-color: #92a3c1; + border-right-color: #d3dae6; +} +.popover.right > .arrow:after { + content: " "; + left: 1px; + bottom: -10px; + border-left-width: 0; + border-right-color: #FFF; +} +.popover.bottom > .arrow { + left: 50%; + margin-left: -11px; + border-top-width: 0; + border-bottom-color: #92a3c1; + border-bottom-color: #d3dae6; + top: -11px; +} +.popover.bottom > .arrow:after { + content: " "; + top: 1px; + margin-left: -10px; + border-top-width: 0; + border-bottom-color: #FFF; +} +.popover.left > .arrow { + top: 50%; + right: -11px; + margin-top: -11px; + border-right-width: 0; + border-left-color: #92a3c1; + border-left-color: #d3dae6; +} +.popover.left > .arrow:after { + content: " "; + right: 1px; + border-right-width: 0; + border-left-color: #FFF; + bottom: -10px; +} +.clearfix:before, +.clearfix:after, +.container:before, +.container:after, +.container-fluid:before, +.container-fluid:after, +.row:before, +.row:after, +.form-horizontal .form-group:before, +.form-horizontal .form-group:after, +.dl-horizontal dd:before, +.dl-horizontal dd:after, +.navbar:before, +.navbar:after, +.navbar-header:before, +.navbar-header:after, +.navbar-collapse:before, +.navbar-collapse:after, +.modal-header:before, +.modal-header:after, +.modal-footer:before, +.modal-footer:after, +.nav:before, +.nav:after, +.pager:before, +.pager:after, +.panel-body:before, +.panel-body:after { + content: " "; + display: table; +} +.clearfix:after, +.container:after, +.container-fluid:after, +.row:after, +.form-horizontal .form-group:after, +.dl-horizontal dd:after, +.navbar:after, +.navbar-header:after, +.navbar-collapse:after, +.modal-header:after, +.modal-footer:after, +.nav:after, +.pager:after, +.panel-body:after { + clear: both; +} +.center-block { + display: block; + margin-left: auto; + margin-right: auto; +} +.pull-right { + float: right !important; +} +.pull-left { + float: left !important; +} +.hide { + display: none !important; +} +.show { + display: block !important; +} +.invisible { + visibility: hidden; +} +.text-hide { + font: 0/0 a; + color: transparent; + text-shadow: none; + background-color: transparent; + border: 0; +} +.hidden { + display: none !important; +} +.affix { + position: fixed; +} +.navbar > .container-fluid > .navbar-nav:not(.pull-right):first-child, +.navbar > .container-fluid > .navbar-form:not(.pull-right):first-child { + margin-left: -15px; + margin-top: 4px; +} +.navbar { + border-width: 0; +} +.navbar-btn-link { + margin: 0; + border-radius: 0; +} +@media (max-width: 768px) { + .navbar-btn-link { + width: 100%; + text-align: left; + } +} +.navbar-default .badge { + background-color: #FFF; + color: #F5F7FA; +} +.navbar-inverse .kbnGlobalNav__logoBrand { + height: 45px; + width: 252px; + background-color: #4b4f5d; +} +.navbar-inverse .kbnGlobalNav__smallLogoBrand { + height: 45px; + width: 45px; + background-color: #4b4f5d; +} +.navbar-inverse .badge { + background-color: #FFF; + color: #4b4f5d; +} +.navbar-brand { + cursor: default; + font-size: 1.8em; + -webkit-user-select: none; + -moz-user-select: none; + -ms-user-select: none; + user-select: none; +} +.navbar-nav { + font-size: 12px; +} +.navbar-nav > .active > a { + border-bottom-color: #7b7b7b; + background-color: transparent; +} +.navbar-toggle { + margin-top: 4px; +} +.text-primary, +.text-primary:hover { + color: #343741; +} +.text-success, +.text-success:hover { + color: #017D73; +} +.text-danger, +.text-danger:hover { + color: #BD271E; +} +.text-warning, +.text-warning:hover { + color: #F5A700; +} +.text-info, +.text-info:hover { + color: #006BB4; +} +table .success, +.table .success, +table .warning, +.table .warning, +table .danger, +.table .danger, +table .info, +.table .info { + color: #FFF; +} +table .success a, +.table .success a, +table .warning a, +.table .warning a, +table .danger a, +.table .danger a, +table .info a, +.table .info a { + color: #FFF; +} +.table-bordered > thead > tr > th, +.table-bordered > tbody > tr > th, +.table-bordered > tfoot > tr > th, +.table-bordered > thead > tr > td, +.table-bordered > tbody > tr > td, +.table-bordered > tfoot > tr > td { + border: 1px solid #D3DAE6; +} +.form-control, +input { + border-width: 1px; + box-shadow: none; +} +.form-control:focus, +input:focus { + box-shadow: none; +} +.has-warning .help-block, +.has-warning .control-label, +.has-warning .radio, +.has-warning .checkbox, +.has-warning .radio-inline, +.has-warning .checkbox-inline, +.has-warning .form-control-feedback { + color: #F5A700; +} +.has-warning .form-control, +.has-warning .form-control:focus { + border: 1px solid; + border-color: #F5A700; +} +.has-warning .input-group-addon { + border-color: #F5A700; +} +.has-error .help-block, +.has-error .control-label, +.has-error .radio, +.has-error .checkbox, +.has-error .radio-inline, +.has-error .checkbox-inline, +.has-error .form-control-feedback { + color: #BD271E; +} +.has-error .form-control, +.has-error .form-control:focus { + border: 1px solid; + border-color: #BD271E; +} +.has-error .input-group-addon { + border-color: #BD271E; +} +.has-success .help-block, +.has-success .control-label, +.has-success .radio, +.has-success .checkbox, +.has-success .radio-inline, +.has-success .checkbox-inline, +.has-success .form-control-feedback { + color: #017D73; +} +.has-success .form-control, +.has-success .form-control:focus { + border: solid #017D73; +} +.has-success .input-group-addon { + border-color: #017D73; +} +.nav .open > a, +.nav .open > a:hover, +.nav .open > a:focus { + border-color: transparent; +} +.pager a, +.pager a:hover { + color: #FFF; +} +.pager .disabled > a, +.pager .disabled > a:hover, +.pager .disabled > a:focus, +.pager .disabled > span { + background-color: rgba(38, 38, 38, 0); +} +.panel { + border-radius: 0; + box-shadow: 0 0 0 rgba(0, 0, 0, 0); +} +.progress { + box-shadow: none; +} +.progress .progress-bar { + font-size: 10px; + line-height: 10px; +} +.well { + box-shadow: none; +} + +/*------------- WAZUH -------------*/ +.wz-login { + background: url(./wazuh_wazuh_bg.svg) !important; + width: 100% !important; + height: 100% !important; + background-size: cover !important; +} + +.login-wrapper { + text-align: center; + width: 430px!important; + top: 55px; + border-radius: 1px; + padding: 1em; +} + +#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div { + text-align: center; + padding-bottom: 10px; + color: #ffffff !important; + font-size: 35px !important; + font-weight: 300; +} + +#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div { + text-align: center; + padding-bottom: 15px; + color: #ffffff !important; + font-size: 16px !important; +} + +#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > form { + padding: 16px; + box-shadow: 0 2px 2px -1px rgba(152, 162, 179, 0.3), 0 1px 5px -2px rgba(152, 162, 179, 0.3); + background-color: #FFF; + border: 1px solid #D3DAE6; + border-radius: 4px; + -webkit-box-flex: 1; + -ms-flex-positive: 1; + flex-grow: 1; + margin-top: 32px; +} + +.loginWelcome__logo { + display: inline-block; + width: 80px; + height: 80px; + line-height: 80px; + text-align: center; + background-color: #FFF; + border-radius: 100%; + padding: 16px; + box-shadow: 0 6px 12px -1px rgba(152, 162, 179, 0.2), 0 4px 4px -1px rgba(152, 162, 179, 0.2), 0 2px 2px 0 rgba(152, 162, 179, 0.2); + margin-bottom: 32px; +} + +div.euiFormRow > div.euiFormRow__fieldWrapper > button { + background-color: #00a9e5!important; + border-color: #00a9e5!important; + color: #fff; +} + +.loginWelcome__logo { + background: url(./wazuh_logo_circle.svg) center center no-repeat !important; +} diff --git a/kibana-opendistro/config/custom_welcome/security-login.style.css b/kibana-opendistro/config/custom_welcome/security-login.style.css deleted file mode 100644 index 6648df2b..00000000 --- a/kibana-opendistro/config/custom_welcome/security-login.style.css +++ /dev/null @@ -1,118 +0,0 @@ -#security-login-app .content { - background: url(./wazuh_wazuh_bg.svg) !important; - width: 100% !important; - height: 100% !important; - background-size: cover !important; -} - -.app-wrapper { - left: 0; -} - -.global-nav.is-global-nav-open+.app-wrapper { - left: 0; -} - -.btn-default { - background-color: #00a9e5!important; - border-color: #00a0e5!important; - color: #ffffff; - padding: 8px; -} - -.btn-default:hover { - background-color: #00a9e5!important; - border-color: #00a0e5!important; - color: #ffffff; -} - -.brand-image-container { - text-align: center; -} - -.brand-image { - display: none; -} - -.login-wrapper { - position: absolute; - width: 430px; - top: 55px; - border-radius: 1px; - padding: 1em; -} - -.login-wrapper .login-title { - text-align: center; - padding-bottom: 10px; - color: #ffffff !important; - font-size: 35px !important; - font-weight: 300; -} - -.login-wrapper .login-subtitle { - text-align: center; - padding-bottom: 15px; - color: #ffffff !important; - font-size: 16px !important; -} - -.login-wrapper .login-form { - padding: 16px; - box-shadow: 0 2px 2px -1px rgba(152, 162, 179, 0.3), 0 1px 5px -2px rgba(152, 162, 179, 0.3); - background-color: #FFF; - border: 1px solid #D3DAE6; - border-radius: 4px; - -webkit-box-flex: 1; - -ms-flex-positive: 1; - flex-grow: 1; - margin-top: 32px; -} - -.login-wrapper .login-form .input-group { - margin-bottom: 1em; -} - -.login-wrapper .login-form .kuiTextInput { - cursor: initial; -} - -.login-wrapper .login-form .kuiTextInput:invalid:not(.ng-touched) { - border-color: #D9D9D9; -} - -.login-wrapper .login-form .kuiTextInput.has-error { - border-color: #A30000; -} - -.login-wrapper .login-form .btn-login { - width: 100%; -} - -.login-wrapper .error-message { - color: #b4251d; - font-size: 14px; - margin-top: 16px; - margin-bottom: 0; - background-color: #f8e9e9; - padding: 8px; - font-weight: 400; - border-left: 2px solid #BD271E; -} - -.loginWelcome__logo { - display: inline-block; - width: 80px; - height: 80px; - line-height: 80px; - text-align: center; - background-color: #FFF; - border-radius: 100%; - padding: 16px; - box-shadow: 0 6px 12px -1px rgba(152, 162, 179, 0.2), 0 4px 4px -1px rgba(152, 162, 179, 0.2), 0 2px 2px 0 rgba(152, 162, 179, 0.2); - margin-bottom: 32px; -} - -.loginWelcome__logo { - background: url(./wazuh_logo_circle.svg) center center no-repeat !important; -} \ No newline at end of file diff --git a/kibana-opendistro/config/custom_welcome/template.js.hbs b/kibana-opendistro/config/custom_welcome/template.js.hbs index 54255bca..b3ee1d61 100644 --- a/kibana-opendistro/config/custom_welcome/template.js.hbs +++ b/kibana-opendistro/config/custom_welcome/template.js.hbs @@ -1,7 +1,8 @@ var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data')); window.__kbnStrictCsp__ = kbnCsp.strictCsp; -window.__kbnDarkMode__ = {{darkMode}}; +window.__kbnThemeTag__ = "{{themeTag}}"; window.__kbnPublicPath__ = {{publicPathMap}}; +window.__kbnBundles__ = {{kbnBundlesLoaderSource}} if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) { var legacyBrowserError = document.getElementById('kbn_legacy_browser_error'); @@ -14,20 +15,24 @@ if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) { loadingMessage.style.display = 'flex'; window.onload = function () { - //WAZUH + //WAZUH var interval = setInterval(() => { - var title = document.getElementsByClassName('login-title'); - if ((title || []).length) { + var title = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div") + if (!!title) { clearInterval(interval); - title[0].textContent = "Welcome to Wazuh"; - var subtitle = document.getElementsByClassName('login-subtitle'); - subtitle[0].textContent = "The Open Source Security Platform"; - var logo = document.getElementsByClassName('brand-image-container'); - $(logo).append(''); + var content = document.querySelector("#kibana-body > div"); + content.classList.add("wz-login") + title.textContent = "Welcome to Wazuh"; + var subtitle = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div") + subtitle.textContent = "The Open Source Security Platform"; + var logo = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > figure"); + logo.remove(); + var logoContainer = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul"); + $(logoContainer).prepend(''); } }) // - + function failure() { // make subsequent calls to failure() noop failure = function () {}; @@ -43,7 +48,7 @@ if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) { document.body.innerHTML = err.outerHTML; } -var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]') + var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]') function loadStyleSheet(url, cb) { var dom = document.createElement('link'); dom.rel = 'stylesheet'; @@ -91,12 +96,7 @@ var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"] {{/each}} ], function () { {{#unless legacyBundlePath}} - if (!__kbnBundles__ || !__kbnBundles__['entry/core'] || typeof __kbnBundles__['entry/core'].__kbnBootstrap__ !== 'function') { - console.error('entry/core bundle did not load correctly'); - failure(); - } else { - __kbnBundles__['entry/core'].__kbnBootstrap__() - } + __kbnBundles__.get('entry/core/public').__kbnBootstrap__(); {{/unless}} load([ @@ -109,4 +109,4 @@ var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"] ]); }); } -} \ No newline at end of file +} diff --git a/kibana-opendistro/config/welcome_wazuh.sh b/kibana-opendistro/config/welcome_wazuh.sh index 46aaddfa..74ae2eef 100644 --- a/kibana-opendistro/config/welcome_wazuh.sh +++ b/kibana-opendistro/config/welcome_wazuh.sh @@ -8,7 +8,7 @@ then echo "Set custom welcome styles" cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs - cp -f /tmp/custom_welcome/security-login.style.css /usr/share/kibana/optimize/bundles/security-login.style.css + cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/optimize/bundles/light_theme.style.css cp -f /tmp/custom_welcome/*svg /usr/share/kibana/optimize/bundles/ fi From da68eaf83e7406c5bb7f4b60f30dd6a38329d11b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 2 Oct 2020 17:14:46 +0200 Subject: [PATCH 111/156] Bump s6-overlay to latest release --- wazuh-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 25f1fad8..1dbaa361 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -25,7 +25,7 @@ RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-os RUN curl -s https://packages-dev.wazuh.com/utils/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module -ARG S6_VERSION="v2.0.0.1" +ARG S6_VERSION="v2.1.0.0" RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ -o /tmp/s6-overlay-amd64.tar.gz && \ tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ From 0f8c17c980362b9ce1c357a61e78ccdcab635eee Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 2 Oct 2020 17:59:40 +0200 Subject: [PATCH 112/156] Implement PR #261 --- .../config/etc/cont-init.d/0-wazuh-init | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index 1aa78f65..af248c6c 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -126,6 +126,17 @@ function ossec_shutdown(){ ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; } +############################################################################## +# Allow users to set the container hostname as dynamically on +# container start. +# +# To use this: +# 1. Create your own ossec.conf file +# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name +# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf +############################################################################## +sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf + ############################################################################## # Main function @@ -154,7 +165,7 @@ main() { mount_files # Trap exit signals and do a proper shutdown - trap "ossec_shutdown; exit" SIGINT SIGTERM + trap "ossec_shutdown; exit" SIGINT SIGTERM # Delete temporary data folder rm -rf ${WAZUH_INSTALL_PATH}/data_tmp From 974c359b5480b4fc19e1dfba97f944d7e1d75c0d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 2 Oct 2020 17:59:40 +0200 Subject: [PATCH 113/156] Implement PR #261 --- .../config/etc/cont-init.d/0-wazuh-init | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index 1aa78f65..af248c6c 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -126,6 +126,17 @@ function ossec_shutdown(){ ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; } +############################################################################## +# Allow users to set the container hostname as dynamically on +# container start. +# +# To use this: +# 1. Create your own ossec.conf file +# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name +# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf +############################################################################## +sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf + ############################################################################## # Main function @@ -154,7 +165,7 @@ main() { mount_files # Trap exit signals and do a proper shutdown - trap "ossec_shutdown; exit" SIGINT SIGTERM + trap "ossec_shutdown; exit" SIGINT SIGTERM # Delete temporary data folder rm -rf ${WAZUH_INSTALL_PATH}/data_tmp From bed34c33ca6f8fa66b72a373ccdc1d9e37f97b2b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 2 Oct 2020 18:03:54 +0200 Subject: [PATCH 114/156] Remove legacy code During this s6 start sequence the Wazuh processes are not started yet --- wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index af248c6c..12460969 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -118,14 +118,6 @@ mount_files() { fi } -############################################################################## -# Stop OSSEC -############################################################################## - -function ossec_shutdown(){ - ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; -} - ############################################################################## # Allow users to set the container hostname as dynamically on # container start. @@ -164,9 +156,6 @@ main() { # Mount selected files (WAZUH_CONFIG_MOUNT) to container mount_files - # Trap exit signals and do a proper shutdown - trap "ossec_shutdown; exit" SIGINT SIGTERM - # Delete temporary data folder rm -rf ${WAZUH_INSTALL_PATH}/data_tmp From 8d5e090a0389736f9b0b64d257bf428809dc8eb2 Mon Sep 17 00:00:00 2001 From: manuasir Date: Fri, 16 Oct 2020 13:47:24 +0200 Subject: [PATCH 115/156] Removed deprecated services --- kibana/Dockerfile | 75 ------ kibana/config/entrypoint.sh | 57 ----- kibana/config/kibana_settings.sh | 84 ------- kibana/config/wazuh_app_config.sh | 68 ----- kibana/config/welcome_wazuh.sh | 24 -- kibana/config/xpack_config.sh | 35 --- wazuh/Dockerfile | 59 ----- wazuh/config/etc/cont-init.d/0-wazuh-init | 232 ------------------ .../config/etc/cont-init.d/1-config-filebeat | 31 --- wazuh/config/etc/cont-init.d/2-manager | 3 - wazuh/config/etc/services.d/api/finish | 6 - wazuh/config/etc/services.d/api/run | 4 - wazuh/config/etc/services.d/filebeat/finish | 6 - wazuh/config/etc/services.d/filebeat/run | 4 - wazuh/config/filebeat.yml | 21 -- wazuh/config/permanent_data.env | 74 ------ wazuh/config/permanent_data.sh | 40 --- wazuh/config/wazuh.repo | 7 - 18 files changed, 830 deletions(-) delete mode 100644 kibana/Dockerfile delete mode 100644 kibana/config/entrypoint.sh delete mode 100644 kibana/config/kibana_settings.sh delete mode 100644 kibana/config/wazuh_app_config.sh delete mode 100644 kibana/config/welcome_wazuh.sh delete mode 100644 kibana/config/xpack_config.sh delete mode 100644 wazuh/Dockerfile delete mode 100644 wazuh/config/etc/cont-init.d/0-wazuh-init delete mode 100644 wazuh/config/etc/cont-init.d/1-config-filebeat delete mode 100644 wazuh/config/etc/cont-init.d/2-manager delete mode 100644 wazuh/config/etc/services.d/api/finish delete mode 100644 wazuh/config/etc/services.d/api/run delete mode 100644 wazuh/config/etc/services.d/filebeat/finish delete mode 100644 wazuh/config/etc/services.d/filebeat/run delete mode 100644 wazuh/config/filebeat.yml delete mode 100644 wazuh/config/permanent_data.env delete mode 100644 wazuh/config/permanent_data.sh delete mode 100644 wazuh/config/wazuh.repo diff --git a/kibana/Dockerfile b/kibana/Dockerfile deleted file mode 100644 index 12fffd72..00000000 --- a/kibana/Dockerfile +++ /dev/null @@ -1,75 +0,0 @@ -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:7.8.0 -USER kibana -ARG ELASTIC_VERSION=7.8.0 -ARG WAZUH_VERSION=3.13.1 -ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" - -WORKDIR /usr/share/kibana -RUN ./bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip - -WORKDIR / -USER root -COPY config/entrypoint.sh ./entrypoint.sh -RUN chmod 755 ./entrypoint.sh - -ENV PATTERN="" \ - CHECKS_PATTERN="" \ - CHECKS_TEMPLATE="" \ - CHECKS_API="" \ - CHECKS_SETUP="" \ - EXTENSIONS_PCI="" \ - EXTENSIONS_GDPR="" \ - EXTENSIONS_AUDIT="" \ - EXTENSIONS_OSCAP="" \ - EXTENSIONS_CISCAT="" \ - EXTENSIONS_AWS="" \ - EXTENSIONS_VIRUSTOTAL="" \ - EXTENSIONS_OSQUERY="" \ - APP_TIMEOUT="" \ - WAZUH_SHARDS="" \ - WAZUH_REPLICAS="" \ - WAZUH_VERSION_SHARDS="" \ - WAZUH_VERSION_REPLICAS="" \ - IP_SELECTOR="" \ - IP_IGNORE="" \ - XPACK_RBAC_ENABLED="" \ - WAZUH_MONITORING_ENABLED="" \ - WAZUH_MONITORING_FREQUENCY="" \ - WAZUH_MONITORING_SHARDS="" \ - WAZUH_MONITORING_REPLICAS="" \ - ADMIN_PRIVILEGES="" - -ARG XPACK_CANVAS="true" -ARG XPACK_LOGS="true" -ARG XPACK_INFRA="true" -ARG XPACK_ML="true" -ARG XPACK_DEVTOOLS="true" -ARG XPACK_MONITORING="true" -ARG XPACK_APM="true" - -ARG CHANGE_WELCOME="false" - -COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ - -RUN chmod +x ./wazuh_app_config.sh - -COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ - -RUN chmod +x ./kibana_settings.sh - -COPY --chown=kibana:kibana ./config/xpack_config.sh ./ - -RUN chmod +x ./xpack_config.sh - -RUN ./xpack_config.sh - -COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./ - -RUN chmod +x ./welcome_wazuh.sh - -RUN ./welcome_wazuh.sh -USER kibana -RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize - -ENTRYPOINT ./entrypoint.sh diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh deleted file mode 100644 index 1c445e10..00000000 --- a/kibana/config/entrypoint.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -set -e - -############################################################################## -# Waiting for elasticsearch -############################################################################## - -if [ "x${ELASTICSEARCH_URL}" = "x" ]; then - el_url="http://elasticsearch:9200" -else - el_url="${ELASTICSEARCH_URL}" -fi - -if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then - auth="" -else - auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" -fi - -until curl -XGET $el_url ${auth}; do - >&2 echo "Elastic is unavailable - sleeping" - sleep 5 -done - -sleep 2 - ->&2 echo "Elasticsearch is up." - - -############################################################################## -# Waiting for wazuh alerts template -############################################################################## - -strlen=0 - -while [[ $strlen -eq 0 ]] -do - template=$(curl $el_url/_cat/templates/wazuh -s) - strlen=${#template} - >&2 echo "Wazuh alerts template not loaded - sleeping." - sleep 2 -done - -sleep 2 - ->&2 echo "Wazuh alerts template is loaded." - - -./wazuh_app_config.sh - -sleep 5 - -./kibana_settings.sh & - -/usr/local/bin/kibana-docker diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh deleted file mode 100644 index 2e53037d..00000000 --- a/kibana/config/kibana_settings.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -WAZUH_MAJOR=3 - -############################################################################## -# Wait for the Kibana API to start. It is necessary to do it in this container -# because the others are running Elastic Stack and we can not interrupt them. -# -# The following actions are performed: -# -# Add the wazuh alerts index as default. -# Set the Discover time interval to 24 hours instead of 15 minutes. -# Do not ask user to help providing usage statistics to Elastic. -############################################################################## - -############################################################################## -# Customize elasticsearch ip -############################################################################## -if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then - sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml - sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml -fi - -# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate. -if [ "$KIBANA_INDEX" != "" ]; then - if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then - sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml - fi - echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml -fi - -# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false. -if [ "$XPACK_SECURITY_ENABLED" != "" ]; then - if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then - sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml - fi - echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml -fi - -if [ "$KIBANA_IP" != "" ]; then - kibana_ip="$KIBANA_IP" -else - kibana_ip="kibana" -fi - -# Add auth headers if required -if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then - curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" -fi - -while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do - echo "Waiting for Kibana API. Sleeping 5 seconds" - sleep 5 -done - -# Prepare index selection. -echo "Kibana API is running" - -default_index="/tmp/default_index.json" - -cat > ${default_index} << EOF -{ - "changes": { - "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*" - } -} -EOF - -sleep 5 -# Add the wazuh alerts index as default. -curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} -rm -f ${default_index} - -sleep 5 -# Configuring Kibana TimePicker. -curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ -'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' - -sleep 5 -# Do not ask user to help providing usage statistics to Elastic -curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' - -echo "End settings" diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh deleted file mode 100644 index cae2dcef..00000000 --- a/kibana/config/wazuh_app_config.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -wazuh_url="${WAZUH_API_URL:-https://wazuh}" -wazuh_port="${API_PORT:-55000}" -api_user="${API_USER:-foo}" -api_password="${API_PASS:-bar}" - -kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" -mkdir -p /usr/share/kibana/optimize/wazuh/config/ -touch $kibana_config_file - -declare -A CONFIG_MAP=( - [pattern]=$PATTERN - [checks.pattern]=$CHECKS_PATTERN - [checks.template]=$CHECKS_TEMPLATE - [checks.api]=$CHECKS_API - [checks.setup]=$CHECKS_SETUP - [extensions.pci]=$EXTENSIONS_PCI - [extensions.gdpr]=$EXTENSIONS_GDPR - [extensions.audit]=$EXTENSIONS_AUDIT - [extensions.oscap]=$EXTENSIONS_OSCAP - [extensions.ciscat]=$EXTENSIONS_CISCAT - [extensions.aws]=$EXTENSIONS_AWS - [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL - [extensions.osquery]=$EXTENSIONS_OSQUERY - [timeout]=$APP_TIMEOUT - [wazuh.shards]=$WAZUH_SHARDS - [wazuh.replicas]=$WAZUH_REPLICAS - [wazuh-version.shards]=$WAZUH_VERSION_SHARDS - [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS - [ip.selector]=$IP_SELECTOR - [ip.ignore]=$IP_IGNORE - [xpack.rbac.enabled]=$XPACK_RBAC_ENABLED - [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED - [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY - [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS - [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS - [admin]=$ADMIN_PRIVILEGES -) - -for i in "${!CONFIG_MAP[@]}" -do - if [ "${CONFIG_MAP[$i]}" != "" ]; then - sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file - fi -done - -# remove default API entry (new in 3.11.0_7.5.1) -sed -ie '/- default:/,+4d' $kibana_config_file - -CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) - -grep -q 1513629884013 $kibana_config_file -_config_exists=$? - -if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then -cat << EOF > $kibana_config_file -hosts: - - 1513629884013: - url: $wazuh_url - port: $wazuh_port - user: $api_user - password: $api_password -EOF -else - echo "Wazuh APP already configured" -fi diff --git a/kibana/config/welcome_wazuh.sh b/kibana/config/welcome_wazuh.sh deleted file mode 100644 index 98306871..00000000 --- a/kibana/config/welcome_wazuh.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -if [[ $CHANGE_WELCOME == "true" ]] -then - - rm -rf ./optimize/bundles - - kibana_path="/usr/share/kibana" - # Set Wazuh app as the default landing page - echo "Set Wazuh app as the default landing page" - echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml - - # Redirect Kibana welcome screen to Discover - echo "Redirect Kibana welcome screen to Discover" - sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html - sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js - - # Redirect Kibana welcome screen to Discover - echo "Hide undesired links" - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js -fi - diff --git a/kibana/config/xpack_config.sh b/kibana/config/xpack_config.sh deleted file mode 100644 index 98e4a656..00000000 --- a/kibana/config/xpack_config.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -kibana_config_file="/usr/share/kibana/config/kibana.yml" -if grep -Fq "#xpack features" "$kibana_config_file"; -then - declare -A CONFIG_MAP=( - [xpack.apm.ui.enabled]=$XPACK_APM - [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS - [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS - [xpack.ml.enabled]=$XPACK_ML - [xpack.canvas.enabled]=$XPACK_CANVAS - [xpack.infra.enabled]=$XPACK_INFRA - [xpack.monitoring.enabled]=$XPACK_MONITORING - [console.enabled]=$XPACK_DEVTOOLS - ) - for i in "${!CONFIG_MAP[@]}" - do - if [ "${CONFIG_MAP[$i]}" != "" ]; then - sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file - fi - done -else - echo " -#xpack features -xpack.apm.ui.enabled: $XPACK_APM -xpack.grokdebugger.enabled: $XPACK_DEVTOOLS -xpack.searchprofiler.enabled: $XPACK_DEVTOOLS -xpack.ml.enabled: $XPACK_ML -xpack.canvas.enabled: $XPACK_CANVAS -xpack.infra.enabled: $XPACK_INFRA -xpack.monitoring.enabled: $XPACK_MONITORING -console.enabled: $XPACK_DEVTOOLS -" >> $kibana_config_file -fi diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile deleted file mode 100644 index ecd0855a..00000000 --- a/wazuh/Dockerfile +++ /dev/null @@ -1,59 +0,0 @@ -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -FROM centos:7 - -ARG FILEBEAT_VERSION=7.8.0 -ARG WAZUH_VERSION=3.13.1-1 -ARG TEMPLATE_VERSION="v3.13.1" -ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" - -ENV API_USER="foo" \ - API_PASS="bar" - - -# Set repositories. -RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH - -COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo - -RUN yum --enablerepo=updates clean metadata && \ - yum -y install openssl which && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \ - curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - && \ - yum -y install nodejs && yum -y install wazuh-api-${WAZUH_VERSION} && \ - sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ - yum clean all && rm -rf /var/cache/yum - -RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\ - rpm -i filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm - -RUN curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/elasticsearch/7.x/wazuh-template.json &&\ - chmod go+r /etc/filebeat/wazuh-template.json - -RUN curl -s https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module - -ARG S6_VERSION="v2.0.0.1" -RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ - -o /tmp/s6-overlay-amd64.tar.gz && \ - tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ - tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \ - rm /tmp/s6-overlay-amd64.tar.gz - -COPY config/filebeat.yml /etc/filebeat/ - -RUN chmod go-w /etc/filebeat/filebeat.yml - -ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat -RUN chmod go-w /etc/filebeat/wazuh-template.json - -COPY config/etc/ /etc/ - -# Prepare permanent data -# Sync calls are due to https://github.com/docker/docker/issues/9547 -COPY config/permanent_data.env config/permanent_data.sh / -RUN chmod 755 /permanent_data.sh && \ - sync && /permanent_data.sh && \ - sync && rm /permanent_data.sh - -# Services ports -EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp - -ENTRYPOINT [ "/init" ] diff --git a/wazuh/config/etc/cont-init.d/0-wazuh-init b/wazuh/config/etc/cont-init.d/0-wazuh-init deleted file mode 100644 index b0cbd001..00000000 --- a/wazuh/config/etc/cont-init.d/0-wazuh-init +++ /dev/null @@ -1,232 +0,0 @@ -#!/usr/bin/with-contenv bash -# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -# Variables -source /permanent_data.env - -WAZUH_INSTALL_PATH=/var/ossec -WAZUH_CONFIG_MOUNT=/wazuh-config-mount -AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} -API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} - - -############################################################################## -# Aux functions -############################################################################## -print() { - echo -e $1 -} - -error_and_exit() { - echo "Error executing command: '$1'." - echo 'Exiting.' - exit 1 -} - -exec_cmd() { - eval $1 > /dev/null 2>&1 || error_and_exit "$1" -} - -exec_cmd_stdout() { - eval $1 2>&1 || error_and_exit "$1" -} - - -############################################################################## -# Edit configuration -############################################################################## - -edit_configuration() { # $1 -> setting, $2 -> value - sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" -} - -############################################################################## -# This function will attempt to mount every directory in PERMANENT_DATA -# into the respective path. -# If the path is empty means permanent data volume is also empty, so a backup -# will be copied into it. Otherwise it will not be copied because there is -# already data inside the volume for the specified path. -############################################################################## - -mount_permanent_data() { - for permanent_dir in "${PERMANENT_DATA[@]}"; do - # Check if the path is not empty - if find ${permanent_dir} -mindepth 1 | read; then - print "The path ${permanent_dir} is already mounted" - else - print "Installing ${permanent_dir}" - exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}" - fi - done -} - -############################################################################## -# This function will replace from the permanent data volume every file -# contained in PERMANENT_DATA_EXCP -# Some files as 'internal_options.conf' are saved as permanent data, but -# they must be updated to work properly if wazuh version is changed. -############################################################################## - -apply_exclusion_data() { - for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do - if [ -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ] - then - DIR=$(dirname "${exclusion_file}") - if [ ! -e ${DIR} ] - then - mkdir -p ${DIR} - fi - - print "Updating ${exclusion_file}" - exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}" - fi - done -} - -############################################################################## -# This function will delete from the permanent data volume every file -# contained in PERMANENT_DATA_DEL -############################################################################## - -remove_data_files() { - for del_file in "${PERMANENT_DATA_DEL[@]}"; do - if [ -e ${del_file} ] - then - print "Removing ${del_file}" - exec_cmd "rm ${del_file}" - fi - done -} - -############################################################################## -# Create certificates: Manager -############################################################################## - -create_ossec_key_cert() { - print "Creating ossec-authd key and cert" - exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096" - exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/" -} - -############################################################################## -# Create certificates: API -############################################################################## - -create_api_key_cert() { - print "Enabling Wazuh API HTTPS" - edit_configuration "https" "yes" - print "Create Wazuh API key and cert" - exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096" - exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/" - - # Granting proper permissions - chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key - chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -} - -############################################################################## -# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect -# destination files permissions -# -# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at -# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will -# replace the ossec.conf file in /var/ossec/data/etc with yours. -############################################################################## - -mount_files() { - if [ -e "$WAZUH_CONFIG_MOUNT" ] - then - print "Identified Wazuh configuration files to mount..." - exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH" - else - print "No Wazuh configuration files to mount..." - fi -} - -############################################################################## -# Stop OSSEC -############################################################################## - -function ossec_shutdown(){ - ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; -} - -############################################################################## -# Interpret any passed arguments (via docker command to this entrypoint) as -# paths or commands, and execute them. -# -# This can be useful for actions that need to be run before the services are -# started, such as "/var/ossec/bin/ossec-control enable agentless". -############################################################################## - -docker_custom_args() { - for CUSTOM_COMMAND in "$@" - do - echo "Executing command \`${CUSTOM_COMMAND}\`" - exec_cmd_stdout "${CUSTOM_COMMAND}" - done -} - -############################################################################## -# Change Wazuh API user credentials. -############################################################################## - -change_api_user_credentials() { - pushd /var/ossec/api/configuration/auth/ - echo "Change Wazuh API user credentials" - change_user="node htpasswd -b -c user $API_USER $API_PASS" - eval $change_user - popd -} - - -############################################################################## -# Main function -############################################################################## - -main() { - # Mount permanent data (i.e. ossec.conf) - mount_permanent_data - - # Restore files stored in permanent data that are not permanent (i.e. internal_options.conf) - apply_exclusion_data - - # Remove some files in permanent_data (i.e. .template.db) - remove_data_files - - # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist - if [ $AUTO_ENROLLMENT_ENABLED == true ] - then - if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ] - then - create_ossec_key_cert - fi - fi - - # Generate API certs if API_GENERATE_CERTS is true and does not exist - if [ $API_GENERATE_CERTS == true ] - then - if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ] - then - create_api_key_cert - fi - fi - - # Mount selected files (WAZUH_CONFIG_MOUNT) to container - mount_files - - # Trap exit signals and do a proper shutdown - trap "ossec_shutdown; exit" SIGINT SIGTERM - - # Execute custom args - docker_custom_args - - # Change API user credentials - change_api_user_credentials - - # Delete temporary data folder - rm -rf ${WAZUH_INSTALL_PATH}/data_tmp - -} - -main diff --git a/wazuh/config/etc/cont-init.d/1-config-filebeat b/wazuh/config/etc/cont-init.d/1-config-filebeat deleted file mode 100644 index 181e3e1a..00000000 --- a/wazuh/config/etc/cont-init.d/1-config-filebeat +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/with-contenv bash -# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -set -e - -WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz - -if [ "$ELASTICSEARCH_URL" != "" ]; then - >&2 echo "Customize Elasticsearch ouput IP" - sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml -fi - -# Configure filebeat.yml security settings - -if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then - >&2 echo "Configuring Certificate Authorities." - sed -i 's|#ssl.certificate_authorities:|'ssl.certificate_authorities:\ [\"$SSL_CERTIFICATE_AUTHORITIES\"]'|g' /etc/filebeat/filebeat.yml -fi - -if [ "$USERNAME" != "" ]; then - >&2 echo "Configuring username." - sed -i 's|#username:|'username:\ \"$USERNAME\"'|g' /etc/filebeat/filebeat.yml -fi - -if [ "$PASSWORD" != "" ]; then - >&2 echo "Configuring password." - sed -i 's|#password:|'password:\ \"$PASSWORD\"'|g' /etc/filebeat/filebeat.yml -fi - -chmod go-w /etc/filebeat/filebeat.yml || true -chown root: /etc/filebeat/filebeat.yml || true diff --git a/wazuh/config/etc/cont-init.d/2-manager b/wazuh/config/etc/cont-init.d/2-manager deleted file mode 100644 index e548e8b1..00000000 --- a/wazuh/config/etc/cont-init.d/2-manager +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/with-contenv bash - -/var/ossec/bin/ossec-control start diff --git a/wazuh/config/etc/services.d/api/finish b/wazuh/config/etc/services.d/api/finish deleted file mode 100644 index 38d744d1..00000000 --- a/wazuh/config/etc/services.d/api/finish +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env sh -echo >&2 "API exited. code=${1}" - -# terminate other services to exit from the container -exec s6-svscanctl -t /var/run/s6/services - diff --git a/wazuh/config/etc/services.d/api/run b/wazuh/config/etc/services.d/api/run deleted file mode 100644 index e6e3e831..00000000 --- a/wazuh/config/etc/services.d/api/run +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/with-contenv sh -echo >&2 "starting API" - -exec /bin/node /var/ossec/api/app.js diff --git a/wazuh/config/etc/services.d/filebeat/finish b/wazuh/config/etc/services.d/filebeat/finish deleted file mode 100644 index 8813eb67..00000000 --- a/wazuh/config/etc/services.d/filebeat/finish +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env sh -echo >&2 "Filebeat exited. code=${1}" - -# terminate other services to exit from the container -exec s6-svscanctl -t /var/run/s6/services - diff --git a/wazuh/config/etc/services.d/filebeat/run b/wazuh/config/etc/services.d/filebeat/run deleted file mode 100644 index 706ee5af..00000000 --- a/wazuh/config/etc/services.d/filebeat/run +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/with-contenv sh -echo >&2 "starting Filebeat" - -exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml deleted file mode 100644 index 0d04bac8..00000000 --- a/wazuh/config/filebeat.yml +++ /dev/null @@ -1,21 +0,0 @@ - -# Wazuh - Filebeat configuration file -filebeat.modules: - - module: wazuh - alerts: - enabled: true - archives: - enabled: false - -setup.template.json.enabled: true -setup.template.json.path: '/etc/filebeat/wazuh-template.json' -setup.template.json.name: 'wazuh' -setup.template.overwrite: true -setup.ilm.enabled: false -output.elasticsearch: - hosts: ['http://elasticsearch:9200'] - #ssl.certificate_authorities: - #ssl.certificate: - #ssl.key: - #username: - #password: diff --git a/wazuh/config/permanent_data.env b/wazuh/config/permanent_data.env deleted file mode 100644 index ca461d63..00000000 --- a/wazuh/config/permanent_data.env +++ /dev/null @@ -1,74 +0,0 @@ -# Permanent data mounted in volumes -i=0 -PERMANENT_DATA[((i++))]="/var/ossec/api/configuration" -PERMANENT_DATA[((i++))]="/var/ossec/etc" -PERMANENT_DATA[((i++))]="/var/ossec/logs" -PERMANENT_DATA[((i++))]="/var/ossec/queue" -PERMANENT_DATA[((i++))]="/var/ossec/agentless" -PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups" -PERMANENT_DATA[((i++))]="/var/ossec/integrations" -PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin" -PERMANENT_DATA[((i++))]="/var/ossec/wodles" -PERMANENT_DATA[((i++))]="/etc/filebeat" -export PERMANENT_DATA - -# Files mounted in a volume that should not be permanent -i=0 -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-redhat-6-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-redhat-7-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-centos-6-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-centos-7-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-fedora-24-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-rhel-6-ds.xml" -PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-rhel-7-ds.xml" -export PERMANENT_DATA_EXCP - -# Files mounted in a volume that should be deleted -i=0 -PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db" -export PERMANENT_DATA_DEL diff --git a/wazuh/config/permanent_data.sh b/wazuh/config/permanent_data.sh deleted file mode 100644 index 7dfaa647..00000000 --- a/wazuh/config/permanent_data.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash -# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -# Variables -source /permanent_data.env - -WAZUH_INSTALL_PATH=/var/ossec -DATA_TMP_PATH=${WAZUH_INSTALL_PATH}/data_tmp -mkdir ${DATA_TMP_PATH} - -# Move exclusion files to EXCLUSION_PATH -EXCLUSION_PATH=${DATA_TMP_PATH}/exclusion -mkdir ${EXCLUSION_PATH} - -for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do - # Create the directory for the exclusion file if it does not exist - DIR=$(dirname "${exclusion_file}") - if [ ! -e ${EXCLUSION_PATH}/${DIR} ] - then - mkdir -p ${EXCLUSION_PATH}/${DIR} - fi - - mv ${exclusion_file} ${EXCLUSION_PATH}/${exclusion_file} -done - -# Move permanent files to PERMANENT_PATH -PERMANENT_PATH=${DATA_TMP_PATH}/permanent -mkdir ${PERMANENT_PATH} - -for permanent_dir in "${PERMANENT_DATA[@]}"; do - # Create the directory for the permanent file if it does not exist - DIR=$(dirname "${permanent_dir}") - if [ ! -e ${PERMANENT_PATH}${DIR} ] - then - mkdir -p ${PERMANENT_PATH}${DIR} - fi - - mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir} - -done diff --git a/wazuh/config/wazuh.repo b/wazuh/config/wazuh.repo deleted file mode 100644 index ae462c62..00000000 --- a/wazuh/config/wazuh.repo +++ /dev/null @@ -1,7 +0,0 @@ -[wazuh_repo] -gpgcheck=1 -gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=https://packages.wazuh.com/3.x/yum/ -protect=1 From 47ee64b13fb9a86fd661891a29125df99d316539 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 19 Oct 2020 13:00:32 +0200 Subject: [PATCH 116/156] Avoid overwriting complete config --- kibana-opendistro/config/wazuh_app_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-opendistro/config/wazuh_app_config.sh index db1d8f82..f25c0105 100644 --- a/kibana-opendistro/config/wazuh_app_config.sh +++ b/kibana-opendistro/config/wazuh_app_config.sh @@ -54,7 +54,7 @@ grep -q 1513629884013 $kibana_config_file _config_exists=$? if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then -cat << EOF > $kibana_config_file +cat << EOF >> $kibana_config_file hosts: - 1513629884013: url: $wazuh_url From ee59bf6f382d557e0f812d83af64a3b409259f78 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 19 Oct 2020 13:02:09 +0200 Subject: [PATCH 117/156] Use config template for wazuh.yml - Use a clean template without enabled defaults - Remove legacy code to clean defaults --- kibana-opendistro/Dockerfile | 1 + kibana-opendistro/config/wazuh.yml | 162 +++++++++++++++++++ kibana-opendistro/config/wazuh_app_config.sh | 5 - 3 files changed, 163 insertions(+), 5 deletions(-) create mode 100644 kibana-opendistro/config/wazuh.yml diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index bdd80f9c..7b0b14f5 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -48,6 +48,7 @@ RUN chmod +x ./welcome_wazuh.sh ARG CHANGE_WELCOME="true" RUN ./welcome_wazuh.sh +COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ RUN chmod +x ./wazuh_app_config.sh diff --git a/kibana-opendistro/config/wazuh.yml b/kibana-opendistro/config/wazuh.yml new file mode 100644 index 00000000..6c52d526 --- /dev/null +++ b/kibana-opendistro/config/wazuh.yml @@ -0,0 +1,162 @@ +--- +# +# Wazuh app - App configuration file +# Copyright (C) 2015-2020 Wazuh, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Find more information about this on the LICENSE file. +# +# ======================== Wazuh app configuration file ======================== +# +# Please check the documentation for more information on configuration options: +# https://documentation.wazuh.com/current/installation-guide/index.html +# +# Also, you can check our repository: +# https://github.com/wazuh/wazuh-kibana-app +# +# ------------------------------- Index patterns ------------------------------- +# +# Default index pattern to use. +#pattern: wazuh-alerts-* +# +# ----------------------------------- Checks ----------------------------------- +# +# Defines which checks must to be consider by the healthcheck +# step once the Wazuh app starts. Values must to be true or false. +#checks.pattern : true +#checks.template: true +#checks.api : true +#checks.setup : true +#checks.metaFields: true +# +# --------------------------------- Extensions --------------------------------- +# +# Defines which extensions should be activated when you add a new API entry. +# You can change them after Wazuh app starts. +# Values must to be true or false. +#extensions.pci : true +#extensions.gdpr : true +#extensions.hipaa : true +#extensions.nist : true +#extensions.tsc : true +#extensions.audit : true +#extensions.oscap : false +#extensions.ciscat : false +#extensions.aws : false +#extensions.gcp : false +#extensions.virustotal: false +#extensions.osquery : false +#extensions.docker : false +# +# ---------------------------------- Time out ---------------------------------- +# +# Defines maximum timeout to be used on the Wazuh app requests. +# It will be ignored if it is bellow 1500. +# It means milliseconds before we consider a request as failed. +# Default: 20000 +#timeout: 20000 +# +# -------------------------------- API selector -------------------------------- +# +# Defines if the user is allowed to change the selected +# API directly from the Wazuh app top menu. +# Default: true +#api.selector: true +# +# --------------------------- Index pattern selector --------------------------- +# +# Defines if the user is allowed to change the selected +# index pattern directly from the Wazuh app top menu. +# Default: true +#ip.selector: true +# +# List of index patterns to be ignored +#ip.ignore: [] +# +# -------------------------------- X-Pack RBAC --------------------------------- +# +# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. +# Default: enabled +#xpack.rbac.enabled: true +# +# ------------------------------ wazuh-monitoring ------------------------------ +# +# Custom setting to enable/disable wazuh-monitoring indices. +# Values: true, false, worker +# If worker is given as value, the app will show the Agents status +# visualization but won't insert data on wazuh-monitoring indices. +# Default: true +#wazuh.monitoring.enabled: true +# +# Custom setting to set the frequency for wazuh-monitoring indices cron task. +# Default: 900 (s) +#wazuh.monitoring.frequency: 900 +# +# Configure wazuh-monitoring-* indices shards and replicas. +#wazuh.monitoring.shards: 2 +#wazuh.monitoring.replicas: 0 +# +# Configure wazuh-monitoring-* indices custom creation interval. +# Values: h (hourly), d (daily), w (weekly), m (monthly) +# Default: d +#wazuh.monitoring.creation: d +# +# Default index pattern to use for Wazuh monitoring +#wazuh.monitoring.pattern: wazuh-monitoring-* +# +# --------------------------------- wazuh-cron ---------------------------------- +# +# Customize the index prefix of predefined jobs +# This change is not retroactive, if you change it new indexes will be created +# cron.prefix: test +# +# ------------------------------ wazuh-statistics ------------------------------- +# +# Custom setting to enable/disable statistics tasks. +#cron.statistics.status: true +# +# Enter the ID of the APIs you want to save data from, leave this empty to run +# the task on all configured APIs +#cron.statistics.apis: [] +# +# Define the frequency of task execution using cron schedule expressions +#cron.statistics.interval: 0 0 * * * * +# +# Define the name of the index in which the documents are to be saved. +#cron.statistics.index.name: statistics +# +# Define the interval in which the index will be created +#cron.statistics.index.creation: w +# +# ------------------------------- App privileges -------------------------------- +#admin: true +# +# ---------------------------- Hide manager alerts ------------------------------ +# Hide the alerts of the manager in all dashboards and discover +#hideManagerAlerts: false +# +# ------------------------------- App logging level ----------------------------- +# Set the logging level for the Wazuh App log files. +# Default value: info +# Allowed values: info, debug +#logs.level: info +# +# -------------------------------- Enrollment DNS ------------------------------- +# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment. +# Default value: '' +#enrollment.dns: '' +# +#-------------------------------- API entries ----------------------------------- +#The following configuration is the default structure to define an API entry. +# +#hosts: +# - : +# url: http(s):// +# port: +# username: +# password: + diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-opendistro/config/wazuh_app_config.sh index f25c0105..def70115 100644 --- a/kibana-opendistro/config/wazuh_app_config.sh +++ b/kibana-opendistro/config/wazuh_app_config.sh @@ -7,8 +7,6 @@ api_user="${API_USER:-wazuh}" api_password="${API_PASS:-wazuh}" kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" -mkdir -p /usr/share/kibana/optimize/wazuh/config/ -touch $kibana_config_file declare -A CONFIG_MAP=( [pattern]=$PATTERN @@ -45,9 +43,6 @@ do fi done -# remove default API entry (new in 3.11.0_7.5.1) -sed -ie '/- default:/,+4d' $kibana_config_file - CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013) grep -q 1513629884013 $kibana_config_file From 22da062a2bc8096031483f4c4fb9a0a681f661b7 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 20 Oct 2020 13:09:43 +0200 Subject: [PATCH 118/156] Remove duplicated block --- wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index 41bd852a..36f69247 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -118,16 +118,6 @@ mount_files() { fi } -############################################################################## -# Allow users to set the container hostname as dynamically on -# container start. -# -# To use this: -# 1. Create your own ossec.conf file -# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name -# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf -############################################################################## -sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf ############################################################################## # Allow users to set the container hostname as dynamically on From 7f8d0ccb8e0a5054220ba961f421f3f110c01067 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 20 Oct 2020 13:17:20 +0200 Subject: [PATCH 119/156] Move set_custom_hostname to function --- wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index 36f69247..916ff482 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -128,7 +128,10 @@ mount_files() { # 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name # 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf ############################################################################## -sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf + +set_custom_hostname() { + sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf +} ############################################################################## @@ -156,6 +159,7 @@ main() { # Mount selected files (WAZUH_CONFIG_MOUNT) to container mount_files + set_custom_hostname # Delete temporary data folder rm -rf ${WAZUH_INSTALL_PATH}/data_tmp From 6f9c7ed0820ac235b87b8b83ae2fdbc5521aa631 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 20 Oct 2020 13:18:39 +0200 Subject: [PATCH 120/156] Add comment to function --- wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init | 2 ++ 1 file changed, 2 insertions(+) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index 916ff482..0a625354 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -159,6 +159,8 @@ main() { # Mount selected files (WAZUH_CONFIG_MOUNT) to container mount_files + + # Allow setting custom hostname set_custom_hostname # Delete temporary data folder From edaaf3de7ecd98064aba1f626e2ef4f28d78c11a Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 20 Oct 2020 14:04:11 +0200 Subject: [PATCH 121/156] Bump S6-overlay to latest release --- wazuh-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 1dbaa361..6df889e6 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -25,7 +25,7 @@ RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-os RUN curl -s https://packages-dev.wazuh.com/utils/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module -ARG S6_VERSION="v2.1.0.0" +ARG S6_VERSION="v2.1.0.2" RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ -o /tmp/s6-overlay-amd64.tar.gz && \ tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ From a99d0c298879c5f525b96271f4f8b4f7019ac586 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 21 Oct 2020 13:59:55 +0200 Subject: [PATCH 122/156] Include rules and decoders --- wazuh-opendistro/config/etc/cont-init.d/2-manager | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/wazuh-opendistro/config/etc/cont-init.d/2-manager b/wazuh-opendistro/config/etc/cont-init.d/2-manager index bf64f3d2..da8cffa8 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/2-manager +++ b/wazuh-opendistro/config/etc/cont-init.d/2-manager @@ -47,6 +47,14 @@ function_wazuh_migration(){ chown ossec:ossec /var/ossec/etc/shared/default/agent.conf chmod 660 /var/ossec/etc/shared/default/agent.conf + \cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/ + chown ossec:ossec /var/ossec/etc/decoders/* + chmod 660 /var/ossec/etc/decoders/* + + \cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/ + chown ossec:ossec /var/ossec/etc/rules/* + chmod 660 /var/ossec/etc/rules/* + if [ -e /wazuh-migration/data/agentless/.passlist ]; then \cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist chown root:ossec /var/ossec/agentless/.passlist From 5de7952153fd6268ee7a90c5e794de3abfb77c5d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 21 Oct 2020 15:55:26 +0200 Subject: [PATCH 123/156] Update Wazuh App parameter vars --- kibana-opendistro/Dockerfile | 10 ++++++---- kibana-opendistro/config/wazuh_app_config.sh | 10 ++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index 7b0b14f5..b0024a00 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -20,17 +20,19 @@ ENV PATTERN="" \ CHECKS_SETUP="" \ EXTENSIONS_PCI="" \ EXTENSIONS_GDPR="" \ + EXTENSIONS_HIPAA="" \ + EXTENSIONS_NIST="" \ + EXTENSIONS_TSC="" \ EXTENSIONS_AUDIT="" \ EXTENSIONS_OSCAP="" \ EXTENSIONS_CISCAT="" \ EXTENSIONS_AWS="" \ + EXTENSIONS_GCP="" \ EXTENSIONS_VIRUSTOTAL="" \ EXTENSIONS_OSQUERY="" \ + EXTENSIONS_DOCKER="" \ APP_TIMEOUT="" \ - WAZUH_SHARDS="" \ - WAZUH_REPLICAS="" \ - WAZUH_VERSION_SHARDS="" \ - WAZUH_VERSION_REPLICAS="" \ + API_SELECTOR="" \ IP_SELECTOR="" \ IP_IGNORE="" \ WAZUH_MONITORING_ENABLED="" \ diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-opendistro/config/wazuh_app_config.sh index def70115..fca9bd8f 100644 --- a/kibana-opendistro/config/wazuh_app_config.sh +++ b/kibana-opendistro/config/wazuh_app_config.sh @@ -16,17 +16,19 @@ declare -A CONFIG_MAP=( [checks.setup]=$CHECKS_SETUP [extensions.pci]=$EXTENSIONS_PCI [extensions.gdpr]=$EXTENSIONS_GDPR + [extensions.hipaa]=$EXTENSIONS_HIPAA + [extensions.nist]=$EXTENSIONS_NIST + [extensions.tsc]=$EXTENSIONS_TSC [extensions.audit]=$EXTENSIONS_AUDIT [extensions.oscap]=$EXTENSIONS_OSCAP [extensions.ciscat]=$EXTENSIONS_CISCAT [extensions.aws]=$EXTENSIONS_AWS + [extensions.gcp]=$EXTENSIONS_GCP [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL [extensions.osquery]=$EXTENSIONS_OSQUERY + [extensions.docker]=$EXTENSIONS_DOCKER [timeout]=$APP_TIMEOUT - [wazuh.shards]=$WAZUH_SHARDS - [wazuh.replicas]=$WAZUH_REPLICAS - [wazuh-version.shards]=$WAZUH_VERSION_SHARDS - [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS + [api.selector]=$API_SELECTOR [ip.selector]=$IP_SELECTOR [ip.ignore]=$IP_IGNORE [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED From 49a16c0ff1024f0f165c7fde651cadb7014d0f68 Mon Sep 17 00:00:00 2001 From: Thomas Anderson Date: Mon, 16 Dec 2019 16:44:02 -0500 Subject: [PATCH 124/156] Explain environment variables --- README.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/README.md b/README.md index 7c3c87f6..1325a3c2 100644 --- a/README.md +++ b/README.md @@ -22,10 +22,77 @@ In addition, a docker-compose file is provided to launch the containers mentione * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html) * [Docker hub](https://hub.docker.com/u/wazuh) + ### Setup SSL certificate and Basic Authentication Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth. +Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md). + + +## Environment Variables + +Default values are included when available. + +### Wazuh +``` +API_USER="foo" # Wazuh API username +API_PASS="bar" # Wazuh API password +``` + +### Nginx +``` +NGINX_NAME="foo" # HTTP basic auth username +NGINX_PWD="bar" # HTTP basic auth password +``` + +### Elasticsearch +``` +ELASTIC_CLUSTER="false" # +CLUSTER_NAME="wazuh" # +CLUSTER_NODE_MASTER="false" # +CLUSTER_NODE_DATA="true" # +CLUSTER_NODE_INGEST="true" # +CLUSTER_NODE_NAME="wazuh-elasticsearch" # +CLUSTER_MASTER_NODE_NAME="master-node" # +CLUSTER_MEMORY_LOCK="true" # +CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" # +CLUSTER_NUMBER_OF_MASTERS="2" # +CLUSTER_MAX_NODES="1" # +CLUSTER_DELAYED_TIMEOUT="1m" # +CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" # +``` + +### Kibana +``` +PATTERN="" # +CHECKS_PATTERN="" # +CHECKS_TEMPLATE="" # +CHECKS_API="" # +CHECKS_SETUP="" # +EXTENSIONS_PCI="" # +EXTENSIONS_GDPR="" # +EXTENSIONS_AUDIT="" # +EXTENSIONS_OSCAP="" # +EXTENSIONS_CISCAT="" # +EXTENSIONS_AWS="" # +EXTENSIONS_VIRUSTOTAL="" # +EXTENSIONS_OSQUERY="" # +APP_TIMEOUT="" # +WAZUH_SHARDS="" # +WAZUH_REPLICAS="" # +WAZUH_VERSION_SHARDS="" # +WAZUH_VERSION_REPLICAS="" # +IP_SELECTOR="" # +IP_IGNORE="" # +XPACK_RBAC_ENABLED="" # +WAZUH_MONITORING_ENABLED="" # +WAZUH_MONITORING_FREQUENCY="" # +WAZUH_MONITORING_SHARDS="" # +WAZUH_MONITORING_REPLICAS="" # +ADMIN_PRIVILEGES="" # +``` + ## Directory structure wazuh-docker From d5fb09f8e011dd78b6464980f0f33831dd5fbba0 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 2 Apr 2020 11:07:49 +0200 Subject: [PATCH 125/156] Remove outdated nginx section --- README.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/README.md b/README.md index 1325a3c2..c1d69502 100644 --- a/README.md +++ b/README.md @@ -40,12 +40,6 @@ API_USER="foo" # Wazuh API username API_PASS="bar" # Wazuh API password ``` -### Nginx -``` -NGINX_NAME="foo" # HTTP basic auth username -NGINX_PWD="bar" # HTTP basic auth password -``` - ### Elasticsearch ``` ELASTIC_CLUSTER="false" # From 925aa43915e88fcc06224ea59394aceec36f8857 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 8 Apr 2020 18:03:38 +0200 Subject: [PATCH 126/156] Describe Elastic env vars --- README.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index c1d69502..406a3db0 100644 --- a/README.md +++ b/README.md @@ -42,19 +42,19 @@ API_PASS="bar" # Wazuh API password ### Elasticsearch ``` -ELASTIC_CLUSTER="false" # -CLUSTER_NAME="wazuh" # -CLUSTER_NODE_MASTER="false" # -CLUSTER_NODE_DATA="true" # -CLUSTER_NODE_INGEST="true" # -CLUSTER_NODE_NAME="wazuh-elasticsearch" # -CLUSTER_MASTER_NODE_NAME="master-node" # -CLUSTER_MEMORY_LOCK="true" # -CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" # -CLUSTER_NUMBER_OF_MASTERS="2" # -CLUSTER_MAX_NODES="1" # -CLUSTER_DELAYED_TIMEOUT="1m" # -CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" # +ELASTIC_CLUSTER="false" # Setup a cluster +CLUSTER_NAME="wazuh" # Cluster name +CLUSTER_NODE_MASTER="false" # Set node as master +CLUSTER_NODE_DATA="true" # Store data on this node +CLUSTER_NODE_INGEST="true" # Setup as ingest node +CLUSTER_NODE_NAME="wazuh-elasticsearch" # Name for this node +CLUSTER_MASTER_NODE_NAME="master-node" # Name of the master node +CLUSTER_MEMORY_LOCK="true" # Set Elasticsearch memory lock +CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" # Set discovery service +CLUSTER_NUMBER_OF_MASTERS="2" # Number of masters on the cluster +CLUSTER_MAX_NODES="1" # Max number of nodes on the cluster +CLUSTER_DELAYED_TIMEOUT="1m" # Set delayed timeout +CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" # Elastic bootstrap node ``` ### Kibana From c44b1545788ecf02960f41e3b4f9287216559dc6 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 29 Sep 2020 18:01:18 +0200 Subject: [PATCH 127/156] Remove reference to Elasticsearch variables --- README.md | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/README.md b/README.md index 406a3db0..aa74f1c8 100644 --- a/README.md +++ b/README.md @@ -40,23 +40,6 @@ API_USER="foo" # Wazuh API username API_PASS="bar" # Wazuh API password ``` -### Elasticsearch -``` -ELASTIC_CLUSTER="false" # Setup a cluster -CLUSTER_NAME="wazuh" # Cluster name -CLUSTER_NODE_MASTER="false" # Set node as master -CLUSTER_NODE_DATA="true" # Store data on this node -CLUSTER_NODE_INGEST="true" # Setup as ingest node -CLUSTER_NODE_NAME="wazuh-elasticsearch" # Name for this node -CLUSTER_MASTER_NODE_NAME="master-node" # Name of the master node -CLUSTER_MEMORY_LOCK="true" # Set Elasticsearch memory lock -CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" # Set discovery service -CLUSTER_NUMBER_OF_MASTERS="2" # Number of masters on the cluster -CLUSTER_MAX_NODES="1" # Max number of nodes on the cluster -CLUSTER_DELAYED_TIMEOUT="1m" # Set delayed timeout -CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" # Elastic bootstrap node -``` - ### Kibana ``` PATTERN="" # From cbcaa2ff055985122138d35772bcd521f88dcdd9 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 29 Sep 2020 18:15:04 +0200 Subject: [PATCH 128/156] Add extra Wazuh variables --- README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index aa74f1c8..ef889bf6 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,15 @@ Default values are included when available. ### Wazuh ``` -API_USER="foo" # Wazuh API username -API_PASS="bar" # Wazuh API password +API_USER="foo" # Wazuh API username +API_PASS="bar" # Wazuh API password +ELASTICSEARCH_URL=https://elasticsearch:9200 +ELASTIC_USERNAME=admin +ELASTIC_PASSWORD=SecretPassword +FILEBEAT_SSL_VERIFICATION_MODE=full # full or none +SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem +SSL_CERTIFICATE=/etc/ssl/filebeat.pem +SSL_KEY=/etc/ssl/filebeat.key ``` ### Kibana From 2ed39e43fb81708cdc5c2e69e537d430aa6402d4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 21 Oct 2020 16:03:23 +0200 Subject: [PATCH 129/156] Update description of missing variables --- README.md | 75 +++++++++++++++++++++++++++++++------------------------ 1 file changed, 42 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index ef889bf6..2ee4f00b 100644 --- a/README.md +++ b/README.md @@ -36,45 +36,54 @@ Default values are included when available. ### Wazuh ``` -API_USER="foo" # Wazuh API username -API_PASS="bar" # Wazuh API password -ELASTICSEARCH_URL=https://elasticsearch:9200 -ELASTIC_USERNAME=admin -ELASTIC_PASSWORD=SecretPassword -FILEBEAT_SSL_VERIFICATION_MODE=full # full or none -SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem -SSL_CERTIFICATE=/etc/ssl/filebeat.pem -SSL_KEY=/etc/ssl/filebeat.key +API_USER="foo" # Wazuh API username +API_PASS="bar" # Wazuh API password +ELASTICSEARCH_URL=https://elasticsearch:9200 # Elasticsearch URL +ELASTIC_USERNAME=admin # Elasticsearch Username +ELASTIC_PASSWORD=SecretPassword # Elasticsearch Password +FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none) +SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem # Filebeat SSL CA +SSL_CERTIFICATE=/etc/ssl/filebeat.pem # Filebeat SSL Certificate +SSL_KEY=/etc/ssl/filebeat.key # Filebeat SSL Key ``` ### Kibana ``` -PATTERN="" # -CHECKS_PATTERN="" # -CHECKS_TEMPLATE="" # +PATTERN="" # Default index pattern to use + +CHECKS_PATTERN="" # Defines which checks must to be consider by the healthcheck +CHECKS_TEMPLATE="" # step once the Wazuh app starts. Values must to be true or false CHECKS_API="" # CHECKS_SETUP="" # -EXTENSIONS_PCI="" # -EXTENSIONS_GDPR="" # -EXTENSIONS_AUDIT="" # -EXTENSIONS_OSCAP="" # -EXTENSIONS_CISCAT="" # -EXTENSIONS_AWS="" # -EXTENSIONS_VIRUSTOTAL="" # -EXTENSIONS_OSQUERY="" # -APP_TIMEOUT="" # -WAZUH_SHARDS="" # -WAZUH_REPLICAS="" # -WAZUH_VERSION_SHARDS="" # -WAZUH_VERSION_REPLICAS="" # -IP_SELECTOR="" # -IP_IGNORE="" # -XPACK_RBAC_ENABLED="" # -WAZUH_MONITORING_ENABLED="" # -WAZUH_MONITORING_FREQUENCY="" # -WAZUH_MONITORING_SHARDS="" # -WAZUH_MONITORING_REPLICAS="" # -ADMIN_PRIVILEGES="" # + +EXTENSIONS_PCI="" # Enable PCI Extension +EXTENSIONS_GDPR="" # Enable GDPR Extension +EXTENSIONS_HIPAA="" # Enable HIPAA Extension +EXTENSIONS_NIST="" # Enable NIST Extension +EXTENSIONS_TSC="" # Enable TSC Extension +EXTENSIONS_AUDIT="" # Enable Audit Extension +EXTENSIONS_OSCAP="" # Enable OpenSCAP Extension +EXTENSIONS_CISCAT="" # Enable CISCAT Extension +EXTENSIONS_AWS="" # Enable AWS Extension +EXTENSIONS_GCP="" # Enable GCP Extension +EXTENSIONS_VIRUSTOTAL="" # Enable Virustotal Extension +EXTENSIONS_OSQUERY="" # Enable OSQuery Extension +EXTENSIONS_DOCKER="" # Enable Docker Extension + +APP_TIMEOUT="" # Defines maximum timeout to be used on the Wazuh app requests + +API_SELECTOR="" # Defines if the user is allowed to change the selected API directly from the Wazuh app top menu +IP_SELECTOR="" # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu +IP_IGNORE="" # List of index patterns to be ignored + +XPACK_RBAC_ENABLED="" # Custom setting to enable/disable built-in X-Pack RBAC security capabilities. Default: enabled + +WAZUH_MONITORING_ENABLED="" # Custom settings to enable/disable wazuh-monitoring indices +WAZUH_MONITORING_FREQUENCY="" # Custom setting to set the frequency for wazuh-monitoring indices cron task +WAZUH_MONITORING_SHARDS="" # Configure wazuh-monitoring-* indices shards and replicas +WAZUH_MONITORING_REPLICAS="" # + +ADMIN_PRIVILEGES="" # App privileges ``` ## Directory structure From 1f1a5dd009b476196bbc1278f798059a7445c93d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 21 Oct 2020 16:19:13 +0200 Subject: [PATCH 130/156] Remove legacy variable --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 2ee4f00b..fb5fc2cd 100644 --- a/README.md +++ b/README.md @@ -76,8 +76,6 @@ API_SELECTOR="" # Defines if the user is allowed to change the selected IP_SELECTOR="" # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu IP_IGNORE="" # List of index patterns to be ignored -XPACK_RBAC_ENABLED="" # Custom setting to enable/disable built-in X-Pack RBAC security capabilities. Default: enabled - WAZUH_MONITORING_ENABLED="" # Custom settings to enable/disable wazuh-monitoring indices WAZUH_MONITORING_FREQUENCY="" # Custom setting to set the frequency for wazuh-monitoring indices cron task WAZUH_MONITORING_SHARDS="" # Configure wazuh-monitoring-* indices shards and replicas From 3086096c19bec7934cb28fa913463ccb13fe364d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 22 Oct 2020 14:31:45 +0200 Subject: [PATCH 131/156] Rename env variables to match new config naming --- kibana-opendistro/config/wazuh_app_config.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-opendistro/config/wazuh_app_config.sh index fca9bd8f..95f0d895 100644 --- a/kibana-opendistro/config/wazuh_app_config.sh +++ b/kibana-opendistro/config/wazuh_app_config.sh @@ -3,8 +3,8 @@ wazuh_url="${WAZUH_API_URL:-https://wazuh}" wazuh_port="${API_PORT:-55000}" -api_user="${API_USER:-wazuh}" -api_password="${API_PASS:-wazuh}" +api_username="${API_USERNAME:-wazuh}" +api_password="${API_PASSWORD:-wazuh}" kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" @@ -56,7 +56,7 @@ hosts: - 1513629884013: url: $wazuh_url port: $wazuh_port - username: $api_user + username: $api_username password: $api_password EOF else From fe1b3d147eb08aed8423ab77ab801c9d534717cc Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 22 Oct 2020 14:32:18 +0200 Subject: [PATCH 132/156] Add support to create custom API users --- wazuh-opendistro/Dockerfile | 5 +- wazuh-opendistro/config/create_user.py | 59 +++++++++++++++++++ .../config/etc/cont-init.d/2-manager | 18 ++++++ 3 files changed, 78 insertions(+), 4 deletions(-) create mode 100644 wazuh-opendistro/config/create_user.py diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 6df889e6..06f3d99f 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -6,10 +6,6 @@ ARG WAZUH_VERSION=4.0.0-1 ARG TEMPLATE_VERSION="master" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz" -ENV API_USER="foo" \ - API_PASS="bar" - - # Set repositories. RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH @@ -40,6 +36,7 @@ ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/e RUN chmod go-w /etc/filebeat/wazuh-template.json COPY config/etc/ /etc/ +COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py # Prepare permanent data # Sync calls are due to https://github.com/docker/docker/issues/9547 diff --git a/wazuh-opendistro/config/create_user.py b/wazuh-opendistro/config/create_user.py new file mode 100644 index 00000000..c7ea3efe --- /dev/null +++ b/wazuh-opendistro/config/create_user.py @@ -0,0 +1,59 @@ +import logging +import sys +import json +import os + +# Set framework path +sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework") + +USER_FILE_PATH = "/var/ossec/api/configuration/admin.json" + + +try: + from wazuh.security import ( + create_user, + get_users, + get_roles, + set_user_role, + update_user, + ) +except Exception as e: + logging.error("No module 'wazuh' found.") + sys.exit(1) + + +def read_user_file(path=USER_FILE_PATH): + with open(path) as user_file: + data = json.load(user_file) + return data["username"], data["password"] + + +def db_users(): + users_result = get_users() + return {user["username"]: user["id"] for user in users_result.affected_items} + + +def db_roles(): + roles_result = get_roles() + return {role["name"]: role["id"] for role in roles_result.affected_items} + + +if __name__ == "__main__": + if not os.path.exists(USER_FILE_PATH): + # abort if no user file detected + sys.exit(0) + username, password = read_user_file() + if username not in db_users(): + create_user(username=username, password=password) + users = db_users() + uid = users[username] + roles = db_roles() + rid = roles["administrator"] + set_user_role( + user_id=[ + str(uid), + ], + role_ids=[ + str(rid), + ], + ) diff --git a/wazuh-opendistro/config/etc/cont-init.d/2-manager b/wazuh-opendistro/config/etc/cont-init.d/2-manager index da8cffa8..cbeeec0f 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/2-manager +++ b/wazuh-opendistro/config/etc/cont-init.d/2-manager @@ -75,8 +75,26 @@ function_wazuh_migration(){ fi } +function_create_custom_user() { + if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then + cat << EOF > /var/ossec/api/configuration/admin.json +{ + "username": "$API_USERNAME", + "password": "$API_PASSWORD" +} +EOF + + # insert user into API database + /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py + fi +} + + # Migrate data from /wazuh-migration volume function_wazuh_migration +# create API custom user +function_create_custom_user + # Start Wazuh /var/ossec/bin/ossec-control start From 1a19c72393efc7306bed6c028c151082a3bbe0bb Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 22 Oct 2020 14:43:46 +0200 Subject: [PATCH 133/156] Update docs on API variables --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fb5fc2cd..71426d1e 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,8 @@ Default values are included when available. ### Wazuh ``` -API_USER="foo" # Wazuh API username -API_PASS="bar" # Wazuh API password +API_USERNAME="my-custom-login" # Wazuh API username +API_PASSWORD="Str0ngP455w0rd.!*-" # Wazuh API password - Must comply with requirements (8+ length, uppercase, lowercase, specials chars) ELASTICSEARCH_URL=https://elasticsearch:9200 # Elasticsearch URL ELASTIC_USERNAME=admin # Elasticsearch Username ELASTIC_PASSWORD=SecretPassword # Elasticsearch Password From 1aa36c15d610ac1aea0664f6bfe9b8ff636d74c4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 22 Oct 2020 17:08:00 +0200 Subject: [PATCH 134/156] Add support to customize existing users - Randomize unused users --- wazuh-opendistro/config/create_user.py | 33 ++++++++++++++++++- .../config/etc/cont-init.d/2-manager | 2 +- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/wazuh-opendistro/config/create_user.py b/wazuh-opendistro/config/create_user.py index c7ea3efe..b4b5e813 100644 --- a/wazuh-opendistro/config/create_user.py +++ b/wazuh-opendistro/config/create_user.py @@ -1,6 +1,8 @@ import logging import sys import json +import random +import string import os # Set framework path @@ -43,7 +45,9 @@ if __name__ == "__main__": # abort if no user file detected sys.exit(0) username, password = read_user_file() - if username not in db_users(): + initial_users = db_users() + if username not in initial_users: + # create a new user create_user(username=username, password=password) users = db_users() uid = users[username] @@ -57,3 +61,30 @@ if __name__ == "__main__": str(rid), ], ) + else: + # modify an existing user ("wazuh" or "wazuh-wui") + uid = initial_users[username] + update_user( + user_id=[ + str(uid), + ], + password=password, + ) + # set a random password for all other users + for name, id in initial_users.items(): + if name != username: + random_pass = "".join( + random.choices( + string.ascii_uppercase + + string.ascii_lowercase + + string.digits + + "@$!%*?&-_", + k=16, + ) + ) + update_user( + user_id=[ + str(id), + ], + password=random_pass, + ) diff --git a/wazuh-opendistro/config/etc/cont-init.d/2-manager b/wazuh-opendistro/config/etc/cont-init.d/2-manager index cbeeec0f..1ac0139e 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/2-manager +++ b/wazuh-opendistro/config/etc/cont-init.d/2-manager @@ -84,7 +84,7 @@ function_create_custom_user() { } EOF - # insert user into API database + # create or customize API user /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py fi } From ed805ee1c1e3f46ce68fb3153e4d5b9cbb8bc717 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 11:25:45 +0200 Subject: [PATCH 135/156] Update README with default values --- README.md | 60 +++++++++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 71426d1e..185761cf 100644 --- a/README.md +++ b/README.md @@ -36,11 +36,11 @@ Default values are included when available. ### Wazuh ``` -API_USERNAME="my-custom-login" # Wazuh API username -API_PASSWORD="Str0ngP455w0rd.!*-" # Wazuh API password - Must comply with requirements (8+ length, uppercase, lowercase, specials chars) +API_USERNAME="wazuh" # Wazuh API username +API_PASSWORD="wazuh" # Wazuh API password - Must comply with requirements (8+ length, uppercase, lowercase, specials chars) ELASTICSEARCH_URL=https://elasticsearch:9200 # Elasticsearch URL ELASTIC_USERNAME=admin # Elasticsearch Username -ELASTIC_PASSWORD=SecretPassword # Elasticsearch Password +ELASTIC_PASSWORD=admin # Elasticsearch Password FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none) SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem # Filebeat SSL CA SSL_CERTIFICATE=/etc/ssl/filebeat.pem # Filebeat SSL Certificate @@ -49,39 +49,39 @@ SSL_KEY=/etc/ssl/filebeat.key # Filebeat SSL Key ### Kibana ``` -PATTERN="" # Default index pattern to use +PATTERN="wazuh-alerts-*" # Default index pattern to use -CHECKS_PATTERN="" # Defines which checks must to be consider by the healthcheck -CHECKS_TEMPLATE="" # step once the Wazuh app starts. Values must to be true or false -CHECKS_API="" # -CHECKS_SETUP="" # +CHECKS_PATTERN=true # Defines which checks must to be consider by the healthcheck +CHECKS_TEMPLATE=true # step once the Wazuh app starts. Values must to be true or false +CHECKS_API=true +CHECKS_SETUP=true -EXTENSIONS_PCI="" # Enable PCI Extension -EXTENSIONS_GDPR="" # Enable GDPR Extension -EXTENSIONS_HIPAA="" # Enable HIPAA Extension -EXTENSIONS_NIST="" # Enable NIST Extension -EXTENSIONS_TSC="" # Enable TSC Extension -EXTENSIONS_AUDIT="" # Enable Audit Extension -EXTENSIONS_OSCAP="" # Enable OpenSCAP Extension -EXTENSIONS_CISCAT="" # Enable CISCAT Extension -EXTENSIONS_AWS="" # Enable AWS Extension -EXTENSIONS_GCP="" # Enable GCP Extension -EXTENSIONS_VIRUSTOTAL="" # Enable Virustotal Extension -EXTENSIONS_OSQUERY="" # Enable OSQuery Extension -EXTENSIONS_DOCKER="" # Enable Docker Extension +EXTENSIONS_PCI=true # Enable PCI Extension +EXTENSIONS_GDPR=true # Enable GDPR Extension +EXTENSIONS_HIPAA=true # Enable HIPAA Extension +EXTENSIONS_NIST=true # Enable NIST Extension +EXTENSIONS_TSC=true # Enable TSC Extension +EXTENSIONS_AUDIT=true # Enable Audit Extension +EXTENSIONS_OSCAP=false # Enable OpenSCAP Extension +EXTENSIONS_CISCAT=false # Enable CISCAT Extension +EXTENSIONS_AWS=false # Enable AWS Extension +EXTENSIONS_GCP=false # Enable GCP Extension +EXTENSIONS_VIRUSTOTAL=false # Enable Virustotal Extension +EXTENSIONS_OSQUERY=false # Enable OSQuery Extension +EXTENSIONS_DOCKER=false # Enable Docker Extension -APP_TIMEOUT="" # Defines maximum timeout to be used on the Wazuh app requests +APP_TIMEOUT=20000 # Defines maximum timeout to be used on the Wazuh app requests -API_SELECTOR="" # Defines if the user is allowed to change the selected API directly from the Wazuh app top menu -IP_SELECTOR="" # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu -IP_IGNORE="" # List of index patterns to be ignored +API_SELECTOR=true Defines if the user is allowed to change the selected API directly from the Wazuh app top menu +IP_SELECTOR=true # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu +IP_IGNORE="[]" # List of index patterns to be ignored -WAZUH_MONITORING_ENABLED="" # Custom settings to enable/disable wazuh-monitoring indices -WAZUH_MONITORING_FREQUENCY="" # Custom setting to set the frequency for wazuh-monitoring indices cron task -WAZUH_MONITORING_SHARDS="" # Configure wazuh-monitoring-* indices shards and replicas -WAZUH_MONITORING_REPLICAS="" # +WAZUH_MONITORING_ENABLED=true # Custom settings to enable/disable wazuh-monitoring indices +WAZUH_MONITORING_FREQUENCY=900 # Custom setting to set the frequency for wazuh-monitoring indices cron task +WAZUH_MONITORING_SHARDS=2 # Configure wazuh-monitoring-* indices shards and replicas +WAZUH_MONITORING_REPLICAS=0 # -ADMIN_PRIVILEGES="" # App privileges +ADMIN_PRIVILEGES=true # App privileges ``` ## Directory structure From b821942010cdb227b2ed6bee55ec1cf8350b3cfd Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 11:33:23 +0200 Subject: [PATCH 136/156] Improve description formatting --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 185761cf..2dd0d7e2 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,9 @@ Default values are included when available. ### Wazuh ``` API_USERNAME="wazuh" # Wazuh API username -API_PASSWORD="wazuh" # Wazuh API password - Must comply with requirements (8+ length, uppercase, lowercase, specials chars) +API_PASSWORD="wazuh" # Wazuh API password - Must comply with requirements + # (8+ length, uppercase, lowercase, specials chars) + ELASTICSEARCH_URL=https://elasticsearch:9200 # Elasticsearch URL ELASTIC_USERNAME=admin # Elasticsearch Username ELASTIC_PASSWORD=admin # Elasticsearch Password From 3a3b57445487c2b08ecadda667f97dfc40cf6765 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 11:35:48 +0200 Subject: [PATCH 137/156] Fix filebeat ssl vars description --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2dd0d7e2..bcfb141b 100644 --- a/README.md +++ b/README.md @@ -44,9 +44,9 @@ ELASTICSEARCH_URL=https://elasticsearch:9200 # Elasticsearch URL ELASTIC_USERNAME=admin # Elasticsearch Username ELASTIC_PASSWORD=admin # Elasticsearch Password FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none) -SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem # Filebeat SSL CA -SSL_CERTIFICATE=/etc/ssl/filebeat.pem # Filebeat SSL Certificate -SSL_KEY=/etc/ssl/filebeat.key # Filebeat SSL Key +SSL_CERTIFICATE_AUTHORITIES="" # Path of Filebeat SSL CA +SSL_CERTIFICATE="" # Path of Filebeat SSL Certificate +SSL_KEY="" # Path of Filebeat SSL Key ``` ### Kibana From ed4a967839161d76176fd16ec2567897a457971d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:48:10 +0200 Subject: [PATCH 138/156] Update containers included in repo --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index bcfb141b..45a799c2 100644 --- a/README.md +++ b/README.md @@ -7,10 +7,9 @@ In this repository you will find the containers to run: -* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack) -* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. -* nginx: Proxies the Kibana container, adding HTTPS (via your [own certificate or self-signed](nginx_conf/README.md)) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme). **It is required to set up SSL certificate before deploying** -* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** +* wazuh-opendistro: It runs the Wazuh manager, Wazuh API and Filebeat OSS (for integration with ODFE) +* wazuh-kibana-opendistro: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. +* opendistro-for-elasticsearch: An Elasticsearch (ODFE) container (working as a single-node cluster) using ODFE Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** In addition, a docker-compose file is provided to launch the containers mentioned above. From d69f02d4699fc9fa137db4462f4cd47ac12072d3 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:48:32 +0200 Subject: [PATCH 139/156] Update kibana app to release channel --- kibana-opendistro/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana-opendistro/Dockerfile b/kibana-opendistro/Dockerfile index b0024a00..c88b73b2 100644 --- a/kibana-opendistro/Dockerfile +++ b/kibana-opendistro/Dockerfile @@ -6,7 +6,7 @@ ARG WAZUH_VERSION=4.0.0 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana -RUN ./bin/kibana-plugin install https://packages-dev.wazuh.com/pre-release/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip +RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip WORKDIR / USER root From 36c75a1f5d9bad968251b66edc674ffddabf31bd Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:50:02 +0200 Subject: [PATCH 140/156] Update Wazuh repo to release channel --- wazuh-opendistro/Dockerfile | 2 +- wazuh-opendistro/config/wazuh.repo | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 06f3d99f..613e8e1d 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -1,7 +1,7 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) FROM centos:7 -ARG FILEBEAT_VERSION=7.8.0 +ARG FILEBEAT_VERSION=7.9.1 ARG WAZUH_VERSION=4.0.0-1 ARG TEMPLATE_VERSION="master" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz" diff --git a/wazuh-opendistro/config/wazuh.repo b/wazuh-opendistro/config/wazuh.repo index 15e1b822..e230d6a9 100644 --- a/wazuh-opendistro/config/wazuh.repo +++ b/wazuh-opendistro/config/wazuh.repo @@ -3,5 +3,5 @@ gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository -baseurl=https://packages-dev.wazuh.com/pre-release/yum/ +baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 From d6cb34517b526de29176be0a09cd1db43d30c257 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:50:24 +0200 Subject: [PATCH 141/156] Use official filebeat module --- wazuh-opendistro/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wazuh-opendistro/Dockerfile b/wazuh-opendistro/Dockerfile index 613e8e1d..0148d8e0 100644 --- a/wazuh-opendistro/Dockerfile +++ b/wazuh-opendistro/Dockerfile @@ -4,7 +4,7 @@ FROM centos:7 ARG FILEBEAT_VERSION=7.9.1 ARG WAZUH_VERSION=4.0.0-1 ARG TEMPLATE_VERSION="master" -ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz" +ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" # Set repositories. RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH @@ -19,7 +19,7 @@ RUN yum --enablerepo=updates clean metadata && \ RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm -RUN curl -s https://packages-dev.wazuh.com/utils/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module +RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module ARG S6_VERSION="v2.1.0.2" RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ From 1cea49b83f75b4bec6098b930561d65002a41353 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 13:08:27 +0200 Subject: [PATCH 142/156] Add compatibility matrix --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 45a799c2..3ccddbd6 100644 --- a/README.md +++ b/README.md @@ -131,6 +131,14 @@ ADMIN_PRIVILEGES=true # App privileges * `master` branch contains the latest code, be aware of possible bugs on this branch. * `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.5.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. + +## Compatibility Matrix + +| Wazuh version | ODFE | +|---------------|---------| +| v4.0.0 | 1.10.1 | + + ## Credits and Thank you These Docker containers are based on: From ff0c29bbfd2b0dc1f827d0afcc400dacc8cbee0b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 14:32:48 +0200 Subject: [PATCH 143/156] Bump ODFE versions in production cluster --- production-cluster.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/production-cluster.yml b/production-cluster.yml index 136f0a6d..9fedb3dc 100644 --- a/production-cluster.yml +++ b/production-cluster.yml @@ -67,7 +67,7 @@ services: - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf elasticsearch: - image: amazon/opendistro-for-elasticsearch:1.9.0 + image: amazon/opendistro-for-elasticsearch:1.10.1 hostname: elasticsearch restart: always ports: @@ -90,7 +90,7 @@ services: - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml elasticsearch-2: - image: amazon/opendistro-for-elasticsearch:1.9.0 + image: amazon/opendistro-for-elasticsearch:1.10.1 hostname: elasticsearch-2 restart: always environment: @@ -111,7 +111,7 @@ services: - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml elasticsearch-3: - image: amazon/opendistro-for-elasticsearch:1.9.0 + image: amazon/opendistro-for-elasticsearch:1.10.1 hostname: elasticsearch-3 restart: always environment: From fb53624ed8b6a8a183b6089976c26fd56d21463d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 15:24:47 +0200 Subject: [PATCH 144/156] Shutdown container if API configuration fails --- .../config/etc/cont-init.d/2-manager | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/wazuh-opendistro/config/etc/cont-init.d/2-manager b/wazuh-opendistro/config/etc/cont-init.d/2-manager index 1ac0139e..4419011a 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/2-manager +++ b/wazuh-opendistro/config/etc/cont-init.d/2-manager @@ -22,6 +22,11 @@ function echoyellow() echo $(__colortext "$1" "33") } +function echored() +{ + echo $(__colortext "$1" "31") +} + function_wazuh_migration(){ if [ -d "/wazuh-migration" ]; then if [ ! -e /wazuh-migration/.migration-completed ]; then @@ -84,8 +89,16 @@ function_create_custom_user() { } EOF - # create or customize API user - /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py + # create or customize API user + if /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py; then + # remove json if exit code is 0 + rm /var/ossec/api/configuration/admin.json + else + echored "There was an error configuring the API user" + # terminate container to avoid unpredictable behavior + exec s6-svscanctl -t /var/run/s6/services + exit 1 + fi fi } From 2d77c33f1b3124115f17237f7a9b21d4edb613c8 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 15:32:23 +0200 Subject: [PATCH 145/156] Disable server tokens --- production_cluster/nginx/nginx.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/production_cluster/nginx/nginx.conf b/production_cluster/nginx/nginx.conf index a02465fe..8cd13ca2 100644 --- a/production_cluster/nginx/nginx.conf +++ b/production_cluster/nginx/nginx.conf @@ -25,6 +25,7 @@ http { keepalive_timeout 65; + server_tokens off; gzip on; # kibana UI @@ -47,7 +48,7 @@ http { proxy_busy_buffers_size 256k; } } - + } @@ -58,7 +59,7 @@ stream { hash $remote_addr consistent; server wazuh-master:1514; server wazuh-worker:1514; - } + } server { listen 1514; proxy_pass mycluster; From 8b39d84207002f7bed91579ae43a56d70e91fca4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 15:36:03 +0200 Subject: [PATCH 146/156] Use custom API user/pass on production example --- production-cluster.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/production-cluster.yml b/production-cluster.yml index 9fedb3dc..ebf003ef 100644 --- a/production-cluster.yml +++ b/production-cluster.yml @@ -19,6 +19,8 @@ services: - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem - SSL_CERTIFICATE=/etc/ssl/filebeat.pem - SSL_KEY=/etc/ssl/filebeat.key + - API_USERNAME=acme-user + - API_PASSWORD=MyS3cr37P450r.*- volumes: - ossec-api-configuration:/var/ossec/api/configuration - ossec-etc:/var/ossec/etc @@ -145,6 +147,8 @@ services: - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem - SERVER_SSL_KEY=/usr/share/kibana/config/key.pem - WAZUH_API_URL="https://wazuh-master" + - API_USERNAME=acme-user + - API_PASSWORD=MyS3cr37P450r.*- volumes: - ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem - ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem From a776bdb006921dcb8906fe93b29208f30dc0a953 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 17:19:23 +0200 Subject: [PATCH 147/156] Update directory structure --- README.md | 48 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 3ccddbd6..0f829146 100644 --- a/README.md +++ b/README.md @@ -87,37 +87,57 @@ ADMIN_PRIVILEGES=true # App privileges ## Directory structure - wazuh-docker ├── CHANGELOG.md ├── docker-compose.yml - ├── elasticsearch - │   ├── config - │   │   ├── config_cluster.sh - │   │   ├── configure_s3.sh - │   │   ├── entrypoint.sh - │   │   └── load_settings.sh - │   └── Dockerfile - ├── kibana + ├── elastic_conf + │   └── elasticsearch.yml + ├── generate-opendistro-certs.yml + ├── kibana-opendistro │   ├── config + │   │   ├── custom_welcome + │   │   │   ├── light_theme.style.css + │   │   │   ├── template.js.hbs + │   │   │   ├── wazuh_logo_circle.svg + │   │   │   └── wazuh_wazuh_bg.svg │   │   ├── entrypoint.sh │   │   ├── kibana_settings.sh │   │   ├── wazuh_app_config.sh - │   │   ├── welcome_wazuh.sh - │   │   └── xpack_config.sh + │   │   ├── wazuh.yml + │   │   └── welcome_wazuh.sh │   └── Dockerfile ├── LICENSE + ├── production_cluster + │   ├── elastic_opendistro + │   │   ├── elasticsearch-node1.yml + │   │   ├── elasticsearch-node2.yml + │   │   ├── elasticsearch-node3.yml + │   │   └── internal_users.yml + │   ├── kibana_ssl + │   │   └── generate-self-signed-cert.sh + │   ├── nginx + │   │   ├── nginx.conf + │   │   └── ssl + │   │   └── generate-self-signed-cert.sh + │   ├── ssl_certs + │   │   └── certs.yml + │   └── wazuh_cluster + │   ├── wazuh_manager.conf + │   └── wazuh_worker.conf + ├── production-cluster.yml ├── README.md ├── VERSION - └── wazuh + └── wazuh-opendistro ├── config + │   ├── create_user.py │   ├── etc │   │   ├── cont-init.d │   │   │   ├── 0-wazuh-init │   │   │   ├── 1-config-filebeat │   │   │   └── 2-manager │   │   └── services.d - │   │   ├── api │   │   └── filebeat + │   │   ├── finish + │   │   └── run │   ├── filebeat.yml │   ├── permanent_data.env │   ├── permanent_data.sh @@ -127,7 +147,7 @@ ADMIN_PRIVILEGES=true # App privileges ## Branches -* `stable` branch on correspond to the latest Wazuh-Docker stable version. +* `4.0` branch on correspond to the latest Wazuh-Docker stable version. * `master` branch contains the latest code, be aware of possible bugs on this branch. * `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.5.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. From 52f48c10a38e06960135bc4705e838dcc71a72e8 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 17:19:39 +0200 Subject: [PATCH 148/156] Update version --- VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 23662729..1f358e83 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="3.13.1_7.8.0" -REVISION="31310" +WAZUH-DOCKER_VERSION="4.0.0" +REVISION="40000" From f35927b536fadf0266c0fccf199762b17b3ff576 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 17:27:19 +0200 Subject: [PATCH 149/156] Backport PR #393 --- .../config/etc/cont-init.d/0-wazuh-init | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init index 0a625354..68538c10 100644 --- a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init +++ b/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init @@ -133,6 +133,19 @@ set_custom_hostname() { sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf } +############################################################################## +# Allow users to set the container cluster key dynamically on +# container start. +# +# To use this: +# 1. Create your own ossec.conf file +# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key +# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf +############################################################################## + +set_custom_cluster_key() { + sed -i 's/to_be_replaced_by_cluster_key<\/key>/'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf +} ############################################################################## # Main function @@ -163,6 +176,9 @@ main() { # Allow setting custom hostname set_custom_hostname + # Allow setting custom cluster key + set_custom_cluster_key + # Delete temporary data folder rm -rf ${WAZUH_INSTALL_PATH}/data_tmp From d4eec39c90accdc31997fc17db1b5d25fd57d8e4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 17:33:26 +0200 Subject: [PATCH 150/156] Update changelog --- CHANGELOG.md | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 721d2cf1..3f567676 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,29 @@ # Change Log All notable changes to this project will be documented in this file. -# Change Log -All notable changes to this project will be documented in this file. +## Wazuh Docker v4.0.0 + +### Added + +- Update to Wazuh version 4.0.0 +- Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame)) [#393](https://github.com/wazuh/wazuh-docker/pull/393) +- Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259) +- Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274) +- Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395) + + +## Wazuh Docker v3.13.2_7.9.1 + +### Added + +- Update to Wazuh version 3.13.2_7.9.1 +- Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372) + +### Fixed + +- Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377) +- Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378) + ## Wazuh Docker v3.13.1_7.8.0 @@ -10,6 +31,7 @@ All notable changes to this project will be documented in this file. - Update to Wazuh version 3.13.1_7.8.0 + ## Wazuh Docker v3.13.0_7.7.1 ### Added @@ -27,6 +49,7 @@ All notable changes to this project will be documented in this file. - Update to Wazuh version 3.12.3_7.6.2 + ## Wazuh Docker v3.12.2_7.6.2 ### Added From 7175e51012ce277c07031af668880057f641788f Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 17:54:45 +0200 Subject: [PATCH 151/156] Improve Changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f567676..030f596b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,8 @@ All notable changes to this project will be documented in this file. - Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259) - Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274) - Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395) +- Use official Elastic images ([@xr09](https://github.com/xr09)) [#333](https://github.com/wazuh/wazuh-docker/pull/333) +- OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373) ## Wazuh Docker v3.13.2_7.9.1 From b874eac3af5a174e074068449cc6406608e3792c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 18:12:55 +0200 Subject: [PATCH 152/156] Renamed image names to odfe --- docker-compose.yml | 6 ++---- {kibana-opendistro => kibana-odfe}/Dockerfile | 0 .../config/custom_welcome/light_theme.style.css | 0 .../config/custom_welcome/template.js.hbs | 0 .../config/custom_welcome/wazuh_logo_circle.svg | 0 .../config/custom_welcome/wazuh_wazuh_bg.svg | 0 {kibana-opendistro => kibana-odfe}/config/entrypoint.sh | 0 .../config/kibana_settings.sh | 0 {kibana-opendistro => kibana-odfe}/config/wazuh.yml | 0 .../config/wazuh_app_config.sh | 0 .../config/welcome_wazuh.sh | 0 production-cluster.yml | 9 +++------ {wazuh-opendistro => wazuh-odfe}/Dockerfile | 0 {wazuh-opendistro => wazuh-odfe}/config/create_user.py | 0 .../config/etc/cont-init.d/0-wazuh-init | 0 .../config/etc/cont-init.d/1-config-filebeat | 0 .../config/etc/cont-init.d/2-manager | 0 .../config/etc/services.d/filebeat/finish | 0 .../config/etc/services.d/filebeat/run | 0 {wazuh-opendistro => wazuh-odfe}/config/filebeat.yml | 0 .../config/permanent_data.env | 0 .../config/permanent_data.sh | 0 {wazuh-opendistro => wazuh-odfe}/config/wazuh.repo | 0 23 files changed, 5 insertions(+), 10 deletions(-) rename {kibana-opendistro => kibana-odfe}/Dockerfile (100%) rename {kibana-opendistro => kibana-odfe}/config/custom_welcome/light_theme.style.css (100%) rename {kibana-opendistro => kibana-odfe}/config/custom_welcome/template.js.hbs (100%) rename {kibana-opendistro => kibana-odfe}/config/custom_welcome/wazuh_logo_circle.svg (100%) rename {kibana-opendistro => kibana-odfe}/config/custom_welcome/wazuh_wazuh_bg.svg (100%) rename {kibana-opendistro => kibana-odfe}/config/entrypoint.sh (100%) rename {kibana-opendistro => kibana-odfe}/config/kibana_settings.sh (100%) rename {kibana-opendistro => kibana-odfe}/config/wazuh.yml (100%) rename {kibana-opendistro => kibana-odfe}/config/wazuh_app_config.sh (100%) rename {kibana-opendistro => kibana-odfe}/config/welcome_wazuh.sh (100%) rename {wazuh-opendistro => wazuh-odfe}/Dockerfile (100%) rename {wazuh-opendistro => wazuh-odfe}/config/create_user.py (100%) rename {wazuh-opendistro => wazuh-odfe}/config/etc/cont-init.d/0-wazuh-init (100%) rename {wazuh-opendistro => wazuh-odfe}/config/etc/cont-init.d/1-config-filebeat (100%) rename {wazuh-opendistro => wazuh-odfe}/config/etc/cont-init.d/2-manager (100%) rename {wazuh-opendistro => wazuh-odfe}/config/etc/services.d/filebeat/finish (100%) rename {wazuh-opendistro => wazuh-odfe}/config/etc/services.d/filebeat/run (100%) rename {wazuh-opendistro => wazuh-odfe}/config/filebeat.yml (100%) rename {wazuh-opendistro => wazuh-odfe}/config/permanent_data.env (100%) rename {wazuh-opendistro => wazuh-odfe}/config/permanent_data.sh (100%) rename {wazuh-opendistro => wazuh-odfe}/config/wazuh.repo (100%) diff --git a/docker-compose.yml b/docker-compose.yml index 67fe1c5f..5bf938bb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,8 +3,7 @@ version: '3.7' services: wazuh: - build: wazuh-opendistro/ - image: wazuh-opendistro + image: wazuh/wazuh-odfe:4.0.0 hostname: wazuh-manager restart: always ports: @@ -51,8 +50,7 @@ services: hard: 65536 kibana: - build: kibana-opendistro/ - image: wazuh-kibana-opendistro + image: wazuh/wazuh-kibana-odfe:4.0.0 hostname: kibana restart: always ports: diff --git a/kibana-opendistro/Dockerfile b/kibana-odfe/Dockerfile similarity index 100% rename from kibana-opendistro/Dockerfile rename to kibana-odfe/Dockerfile diff --git a/kibana-opendistro/config/custom_welcome/light_theme.style.css b/kibana-odfe/config/custom_welcome/light_theme.style.css similarity index 100% rename from kibana-opendistro/config/custom_welcome/light_theme.style.css rename to kibana-odfe/config/custom_welcome/light_theme.style.css diff --git a/kibana-opendistro/config/custom_welcome/template.js.hbs b/kibana-odfe/config/custom_welcome/template.js.hbs similarity index 100% rename from kibana-opendistro/config/custom_welcome/template.js.hbs rename to kibana-odfe/config/custom_welcome/template.js.hbs diff --git a/kibana-opendistro/config/custom_welcome/wazuh_logo_circle.svg b/kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg similarity index 100% rename from kibana-opendistro/config/custom_welcome/wazuh_logo_circle.svg rename to kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg diff --git a/kibana-opendistro/config/custom_welcome/wazuh_wazuh_bg.svg b/kibana-odfe/config/custom_welcome/wazuh_wazuh_bg.svg similarity index 100% rename from kibana-opendistro/config/custom_welcome/wazuh_wazuh_bg.svg rename to kibana-odfe/config/custom_welcome/wazuh_wazuh_bg.svg diff --git a/kibana-opendistro/config/entrypoint.sh b/kibana-odfe/config/entrypoint.sh similarity index 100% rename from kibana-opendistro/config/entrypoint.sh rename to kibana-odfe/config/entrypoint.sh diff --git a/kibana-opendistro/config/kibana_settings.sh b/kibana-odfe/config/kibana_settings.sh similarity index 100% rename from kibana-opendistro/config/kibana_settings.sh rename to kibana-odfe/config/kibana_settings.sh diff --git a/kibana-opendistro/config/wazuh.yml b/kibana-odfe/config/wazuh.yml similarity index 100% rename from kibana-opendistro/config/wazuh.yml rename to kibana-odfe/config/wazuh.yml diff --git a/kibana-opendistro/config/wazuh_app_config.sh b/kibana-odfe/config/wazuh_app_config.sh similarity index 100% rename from kibana-opendistro/config/wazuh_app_config.sh rename to kibana-odfe/config/wazuh_app_config.sh diff --git a/kibana-opendistro/config/welcome_wazuh.sh b/kibana-odfe/config/welcome_wazuh.sh similarity index 100% rename from kibana-opendistro/config/welcome_wazuh.sh rename to kibana-odfe/config/welcome_wazuh.sh diff --git a/production-cluster.yml b/production-cluster.yml index ebf003ef..6b537301 100644 --- a/production-cluster.yml +++ b/production-cluster.yml @@ -3,8 +3,7 @@ version: '3.7' services: wazuh-master: - build: wazuh-opendistro/ - image: wazuh-opendistro + image: wazuh/wazuh-odfe:4.0.0 hostname: wazuh-master restart: always ports: @@ -39,8 +38,7 @@ services: - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf wazuh-worker: - build: wazuh-opendistro/ - image: wazuh-opendistro + image: wazuh/wazuh-odfe:4.0.0 hostname: wazuh-worker restart: always environment: @@ -134,8 +132,7 @@ services: - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml kibana: - build: kibana-opendistro/ - image: wazuh-kibana-opendistro + image: wazuh/wazuh-kibana-odfe:4.0.0 hostname: kibana restart: always ports: diff --git a/wazuh-opendistro/Dockerfile b/wazuh-odfe/Dockerfile similarity index 100% rename from wazuh-opendistro/Dockerfile rename to wazuh-odfe/Dockerfile diff --git a/wazuh-opendistro/config/create_user.py b/wazuh-odfe/config/create_user.py similarity index 100% rename from wazuh-opendistro/config/create_user.py rename to wazuh-odfe/config/create_user.py diff --git a/wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init b/wazuh-odfe/config/etc/cont-init.d/0-wazuh-init similarity index 100% rename from wazuh-opendistro/config/etc/cont-init.d/0-wazuh-init rename to wazuh-odfe/config/etc/cont-init.d/0-wazuh-init diff --git a/wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat b/wazuh-odfe/config/etc/cont-init.d/1-config-filebeat similarity index 100% rename from wazuh-opendistro/config/etc/cont-init.d/1-config-filebeat rename to wazuh-odfe/config/etc/cont-init.d/1-config-filebeat diff --git a/wazuh-opendistro/config/etc/cont-init.d/2-manager b/wazuh-odfe/config/etc/cont-init.d/2-manager similarity index 100% rename from wazuh-opendistro/config/etc/cont-init.d/2-manager rename to wazuh-odfe/config/etc/cont-init.d/2-manager diff --git a/wazuh-opendistro/config/etc/services.d/filebeat/finish b/wazuh-odfe/config/etc/services.d/filebeat/finish similarity index 100% rename from wazuh-opendistro/config/etc/services.d/filebeat/finish rename to wazuh-odfe/config/etc/services.d/filebeat/finish diff --git a/wazuh-opendistro/config/etc/services.d/filebeat/run b/wazuh-odfe/config/etc/services.d/filebeat/run similarity index 100% rename from wazuh-opendistro/config/etc/services.d/filebeat/run rename to wazuh-odfe/config/etc/services.d/filebeat/run diff --git a/wazuh-opendistro/config/filebeat.yml b/wazuh-odfe/config/filebeat.yml similarity index 100% rename from wazuh-opendistro/config/filebeat.yml rename to wazuh-odfe/config/filebeat.yml diff --git a/wazuh-opendistro/config/permanent_data.env b/wazuh-odfe/config/permanent_data.env similarity index 100% rename from wazuh-opendistro/config/permanent_data.env rename to wazuh-odfe/config/permanent_data.env diff --git a/wazuh-opendistro/config/permanent_data.sh b/wazuh-odfe/config/permanent_data.sh similarity index 100% rename from wazuh-opendistro/config/permanent_data.sh rename to wazuh-odfe/config/permanent_data.sh diff --git a/wazuh-opendistro/config/wazuh.repo b/wazuh-odfe/config/wazuh.repo similarity index 100% rename from wazuh-opendistro/config/wazuh.repo rename to wazuh-odfe/config/wazuh.repo From f56657cdb0a4cfe525c112bdaa9d8c4ab1caeddd Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 18:14:13 +0200 Subject: [PATCH 153/156] Update dir structure --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0f829146..d184c144 100644 --- a/README.md +++ b/README.md @@ -92,7 +92,7 @@ ADMIN_PRIVILEGES=true # App privileges ├── elastic_conf │   └── elasticsearch.yml ├── generate-opendistro-certs.yml - ├── kibana-opendistro + ├── kibana-odfe │   ├── config │   │   ├── custom_welcome │   │   │   ├── light_theme.style.css @@ -126,7 +126,7 @@ ADMIN_PRIVILEGES=true # App privileges ├── production-cluster.yml ├── README.md ├── VERSION - └── wazuh-opendistro + └── wazuh-odfe ├── config │   ├── create_user.py │   ├── etc @@ -145,6 +145,7 @@ ADMIN_PRIVILEGES=true # App privileges └── Dockerfile + ## Branches * `4.0` branch on correspond to the latest Wazuh-Docker stable version. From 9489d6b86f962424330d572676efe1dae34f4d1c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 18:20:57 +0200 Subject: [PATCH 154/156] Changed section on changelog --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 030f596b..28487ffa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,10 +10,14 @@ All notable changes to this project will be documented in this file. - Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259) - Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274) - Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395) -- Use official Elastic images ([@xr09](https://github.com/xr09)) [#333](https://github.com/wazuh/wazuh-docker/pull/333) - OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373) +### Changed + +- Removal of Elastic images + + ## Wazuh Docker v3.13.2_7.9.1 ### Added From 0618f45fcf89ed8d11ab7ef05f4f2a9bbe7c7b96 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 18:29:25 +0200 Subject: [PATCH 155/156] Update release tag --- CHANGELOG.md | 2 +- VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 28487ffa..75169db2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ # Change Log All notable changes to this project will be documented in this file. -## Wazuh Docker v4.0.0 +## Wazuh Docker v4.0.0_1.10.1 ### Added diff --git a/VERSION b/VERSION index 1f358e83..1cdd9758 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="4.0.0" +WAZUH-DOCKER_VERSION="4.0.0_1.10.1" REVISION="40000" From ef5dc54e78b877d4f05f13de55e38cd01882c788 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 23 Oct 2020 19:33:41 +0200 Subject: [PATCH 156/156] Add ODFE tag --- docker-compose.yml | 4 ++-- production-cluster.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 5bf938bb..cf47f224 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh: - image: wazuh/wazuh-odfe:4.0.0 + image: wazuh/wazuh-odfe:4.0.0_1.10.1 hostname: wazuh-manager restart: always ports: @@ -50,7 +50,7 @@ services: hard: 65536 kibana: - image: wazuh/wazuh-kibana-odfe:4.0.0 + image: wazuh/wazuh-kibana-odfe:4.0.0_1.10.1 hostname: kibana restart: always ports: diff --git a/production-cluster.yml b/production-cluster.yml index 6b537301..f22516ef 100644 --- a/production-cluster.yml +++ b/production-cluster.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh-master: - image: wazuh/wazuh-odfe:4.0.0 + image: wazuh/wazuh-odfe:4.0.0_1.10.1 hostname: wazuh-master restart: always ports: @@ -38,7 +38,7 @@ services: - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf wazuh-worker: - image: wazuh/wazuh-odfe:4.0.0 + image: wazuh/wazuh-odfe:4.0.0_1.10.1 hostname: wazuh-worker restart: always environment: @@ -132,7 +132,7 @@ services: - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml kibana: - image: wazuh/wazuh-kibana-odfe:4.0.0 + image: wazuh/wazuh-kibana-odfe:4.0.0_1.10.1 hostname: kibana restart: always ports: