modify uid and giufor indexer and dashboard user and file permissions

build-docker-images/wazuh-dashboard/Dockerfile

@@ -28,12 +28,12 @@ RUN bash /install_wazuh_app.sh
 # Copy and set permissions to config files
 COPY config/opensearch_dashboards.yml $INSTALL_DIR/config/
 COPY config/wazuh.yml $INSTALL_DIR/data/wazuh/config/
-RUN chown 101:101 $INSTALL_DIR/config/opensearch_dashboards.yml && chmod 664 $INSTALL_DIR/config/opensearch_dashboards.yml
+RUN chmod 664 $INSTALL_DIR/config/opensearch_dashboards.yml
 
 # Create and set permissions to data directories
-RUN mkdir -p $INSTALL_DIR/data/wazuh && chown -R 101:101 $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh
+RUN mkdir -p $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh
-RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chown -R 101:101 $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config
+RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config
-RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chown -R 101:101 $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs
+RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs
 
 ################################################################################
 # Build stage 1 (the current Wazuh dashboard image):
@@ -84,9 +84,9 @@ ENV PATTERN="" \
 RUN yum install shadow-utils -y
 
 # Create wazuh-dashboard user and group
-RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
+RUN getent group $GROUP || groupadd -r -g 999 $GROUP
 RUN useradd --system \
-            --uid 1000 \
+            --uid 999 \
             --no-create-home \
             --home-dir $INSTALL_DIR \
             --gid $GROUP \
@@ -99,14 +99,14 @@ COPY config/entrypoint.sh /
 COPY config/wazuh_app_config.sh /
 RUN chmod 700 /entrypoint.sh
 RUN chmod 700 /wazuh_app_config.sh
-RUN chown 1000:1000 /*.sh
+RUN chown 999:999 /*.sh
 
 # Copy Install dir from builder to current image
-COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR
+COPY --from=builder --chown=999:999 $INSTALL_DIR $INSTALL_DIR
 
 # Create custom directory
 RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
-RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
+RUN chown 999:999 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
 
 # Set workdir and user
 WORKDIR $INSTALL_DIR

build-docker-images/wazuh-indexer/Dockerfile

@@ -38,10 +38,10 @@ ENV USER="wazuh-indexer" \
 
 RUN yum install curl-minimal shadow-utils findutils hostname -y
 
-RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
+RUN getent group $GROUP || groupadd -r -g 999 $GROUP
 
 RUN useradd --system \
-            --uid 1000 \
+            --uid 999 \
             --no-create-home \
             --home-dir $INSTALL_DIR \
             --gid $GROUP \
@@ -57,19 +57,19 @@ COPY config/securityadmin.sh /
 
 RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
 
-RUN chown 1000:1000 /*.sh
+RUN chown 999:999 /*.sh
 
-COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
+COPY --from=builder --chown=999:999 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
 
-RUN chown -R 1000:1000 /usr/share/wazuh-indexer
+RUN chown -R 999:999 /usr/share/wazuh-indexer
 
-RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
+RUN mkdir -p /var/lib/wazuh-indexer && chown 999:999 /var/lib/wazuh-indexer && \
-    mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
+    mkdir -p /usr/share/wazuh-indexer/logs && chown 999:999 /usr/share/wazuh-indexer/logs && \
-    mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
+    mkdir -p /run/wazuh-indexer && chown 999:999 /run/wazuh-indexer && \
-    mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
+    mkdir -p /var/log/wazuh-indexer && chown 999:999 /var/log/wazuh-indexer && \
     chmod 700 /usr/share/wazuh-indexer && \
     chmod 600 /usr/share/wazuh-indexer/jvm.options && \
     chmod 600 /usr/share/wazuh-indexer/opensearch.yml

build-docker-images/wazuh-indexer/config/entrypoint.sh

@@ -34,7 +34,7 @@ if [[ "$1" != "opensearchwrapper" ]]; then
     # `bin/opensearch -E x.y=z` would not work.
     set -- "opensearch" "${@:2}"
     # Use chroot to switch to UID 1000 / GID 0
-    exec chroot --userspec=1000:0 / "$@"
+    exec chroot --userspec=999:0 / "$@"
   else
     # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
     exec "$@"
@@ -79,7 +79,7 @@ fi
 if [[ "$(id -u)" == "0" ]]; then
   # If requested and running as root, mutate the ownership of bind-mounts
   if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
-    chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
+    chown -R 999:0 /usr/share/wazuh-indexer/{data,logs}
   fi
 fi
 

indexer-certs-creator/config/entrypoint.sh

@@ -47,15 +47,5 @@ echo "Changing certificate permissions"
 chmod -R 500 /certificates
 chmod -R 400 /certificates/*
 echo "Setting UID indexer and dashboard"
-chown 1000:1000 /certificates/*
+chown 999:999 /certificates/*
-echo "Setting UID for wazuh manager and worker"
-cp /certificates/root-ca.pem /certificates/root-ca-manager.pem
-cp /certificates/root-ca.key /certificates/root-ca-manager.key
-chown 101:101 /certificates/root-ca-manager.pem
-chown 101:101 /certificates/root-ca-manager.key
 
-for i in ${node_names[@]};
-do
-  chown 101:101 "/certificates/${i}.pem"
-  chown 101:101 "/certificates/${i}-key.pem"
-done

multi-node/docker-compose.yml

@@ -39,7 +39,7 @@ services:
       - master-wazuh-wodles:/var/ossec/wodles
       - master-filebeat-etc:/etc/filebeat
       - master-filebeat-var:/var/lib/filebeat
-      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
       - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
@@ -75,7 +75,7 @@ services:
       - worker-wazuh-wodles:/var/ossec/wodles
       - worker-filebeat-etc:/etc/filebeat
       - worker-filebeat-var:/var/lib/filebeat
-      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
       - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf

single-node/docker-compose.yml

@@ -40,7 +40,7 @@ services:
       - wazuh_wodles:/var/ossec/wodles
       - filebeat_etc:/etc/filebeat
       - filebeat_var:/var/lib/filebeat
-      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
       - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf