paulmataruso/wazuh-docker-orginal
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-23 16:14:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #390 from wazuh/feature-385-cluster-migration

Browse Source 
Implement cluster migration
This commit is contained in:
Manuel J. Bernal
2020-10-02 17:55:25 +02:00
committed by GitHub
parent 9a58958bcb da68eaf83e
commit baf2d0f536
24 changed files with 5617 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -26,9 +26,6 @@ In addition, a docker-compose file is provided to launch the containers mentione
Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth.
Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md).
## Directory structure
wazuh-docker
@@ -50,11 +47,6 @@ Documentation on how to provide these two can be found at [nginx_conf/README.md]
│   │   └── xpack_config.sh
│   └── Dockerfile
├── LICENSE
├── nginx_conf
│   ├── kibana-web.conf
│   ├── README.md
│   └── ssl
│   └── generate-self-signed-cert.sh
├── README.md
├── VERSION
└── wazuh

2
docker-compose.yml
View File

@@ -31,7 +31,7 @@ services:
- filebeat_var:/var/lib/filebeat
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.9.0
image: amazon/opendistro-for-elasticsearch:1.10.1
hostname: elasticsearch
restart: always
ports:

10
generate-opendistro-certs.yml Normal file
View File

@@ -0,0 +1,10 @@
# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
version: '3'
services:
generator:
image: wazuh/opendistro-certs-generator:0.1
hostname: opendistro-certs-generator
volumes:
- ./production_cluster/ssl_certs/certs.yml:/usr/src/config/myconf.yml
- ./production_cluster/ssl_certs/:/usr/src/certs/out/

4
kibana-opendistro/Dockerfile
View File

@@ -1,7 +1,7 @@
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
FROM amazon/opendistro-for-elasticsearch-kibana:1.9.0
FROM amazon/opendistro-for-elasticsearch-kibana:1.10.1
USER kibana
ARG ELASTIC_VERSION=7.8.0
ARG ELASTIC_VERSION=7.9.1
ARG WAZUH_VERSION=4.0.0
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"

4349
kibana-opendistro/config/custom_welcome/light_theme.style.css Normal file
View File

File diff suppressed because it is too large Load Diff

118
kibana-opendistro/config/custom_welcome/security-login.style.css
View File

@@ -1,118 +0,0 @@
#security-login-app .content {
background: url(./wazuh_wazuh_bg.svg) !important;
width: 100% !important;
height: 100% !important;
background-size: cover !important;
}
.app-wrapper {
left: 0;
}
.global-nav.is-global-nav-open+.app-wrapper {
left: 0;
}
.btn-default {
background-color: #00a9e5!important;
border-color: #00a0e5!important;
color: #ffffff;
padding: 8px;
}
.btn-default:hover {
background-color: #00a9e5!important;
border-color: #00a0e5!important;
color: #ffffff;
}
.brand-image-container {
text-align: center;
}
.brand-image {
display: none;
}
.login-wrapper {
position: absolute;
width: 430px;
top: 55px;
border-radius: 1px;
padding: 1em;
}
.login-wrapper .login-title {
text-align: center;
padding-bottom: 10px;
color: #ffffff !important;
font-size: 35px !important;
font-weight: 300;
}
.login-wrapper .login-subtitle {
text-align: center;
padding-bottom: 15px;
color: #ffffff !important;
font-size: 16px !important;
}
.login-wrapper .login-form {
padding: 16px;
box-shadow: 0 2px 2px -1px rgba(152, 162, 179, 0.3), 0 1px 5px -2px rgba(152, 162, 179, 0.3);
background-color: #FFF;
border: 1px solid #D3DAE6;
border-radius: 4px;
-webkit-box-flex: 1;
-ms-flex-positive: 1;
flex-grow: 1;
margin-top: 32px;
}
.login-wrapper .login-form .input-group {
margin-bottom: 1em;
}
.login-wrapper .login-form .kuiTextInput {
cursor: initial;
}
.login-wrapper .login-form .kuiTextInput:invalid:not(.ng-touched) {
border-color: #D9D9D9;
}
.login-wrapper .login-form .kuiTextInput.has-error {
border-color: #A30000;
}
.login-wrapper .login-form .btn-login {
width: 100%;
}
.login-wrapper .error-message {
color: #b4251d;
font-size: 14px;
margin-top: 16px;
margin-bottom: 0;
background-color: #f8e9e9;
padding: 8px;
font-weight: 400;
border-left: 2px solid #BD271E;
}
.loginWelcome__logo {
display: inline-block;
width: 80px;
height: 80px;
line-height: 80px;
text-align: center;
background-color: #FFF;
border-radius: 100%;
padding: 16px;
box-shadow: 0 6px 12px -1px rgba(152, 162, 179, 0.2), 0 4px 4px -1px rgba(152, 162, 179, 0.2), 0 2px 2px 0 rgba(152, 162, 179, 0.2);
margin-bottom: 32px;
}
.loginWelcome__logo {
background: url(./wazuh_logo_circle.svg) center center no-repeat !important;
}

36
kibana-opendistro/config/custom_welcome/template.js.hbs
View File

@@ -1,7 +1,8 @@
var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
window.__kbnStrictCsp__ = kbnCsp.strictCsp;
window.__kbnDarkMode__ = {{darkMode}};
window.__kbnThemeTag__ = "{{themeTag}}";
window.__kbnPublicPath__ = {{publicPathMap}};
window.__kbnBundles__ = {{kbnBundlesLoaderSource}}
if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
@@ -14,20 +15,24 @@ if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
loadingMessage.style.display = 'flex';
window.onload = function () {
//WAZUH
//WAZUH
var interval = setInterval(() => {
var title = document.getElementsByClassName('login-title');
if ((title || []).length) {
var title = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div")
if (!!title) {
clearInterval(interval);
title[0].textContent = "Welcome to Wazuh";
var subtitle = document.getElementsByClassName('login-subtitle');
subtitle[0].textContent = "The Open Source Security Platform";
var logo = document.getElementsByClassName('brand-image-container');
$(logo).append('<span class="loginWelcome__logo"></span>');
var content = document.querySelector("#kibana-body > div");
content.classList.add("wz-login")
title.textContent = "Welcome to Wazuh";
var subtitle = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div")
subtitle.textContent = "The Open Source Security Platform";
var logo = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > figure");
logo.remove();
var logoContainer = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul");
$(logoContainer).prepend('<span class="loginWelcome__logo"></span>');
}
})
//
function failure() {
// make subsequent calls to failure() noop
failure = function () {};
@@ -43,7 +48,7 @@ if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
document.body.innerHTML = err.outerHTML;
}
var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]')
var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]')
function loadStyleSheet(url, cb) {
var dom = document.createElement('link');
dom.rel = 'stylesheet';
@@ -91,12 +96,7 @@ var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]
{{/each}}
], function () {
{{#unless legacyBundlePath}}
if (!__kbnBundles__ || !__kbnBundles__['entry/core'] || typeof __kbnBundles__['entry/core'].__kbnBootstrap__ !== 'function') {
console.error('entry/core bundle did not load correctly');
failure();
} else {
__kbnBundles__['entry/core'].__kbnBootstrap__()
}
__kbnBundles__.get('entry/core/public').__kbnBootstrap__();
{{/unless}}
load([
@@ -109,4 +109,4 @@ var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]
]);
});
}
}
}

2
kibana-opendistro/config/kibana_settings.sh
View File

@@ -29,7 +29,7 @@ if [ "$KIBANA_INDEX" != "" ]; then
echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
fi
while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/login)" != "200" ]]; do
while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/app/login)" != "200" ]]; do
echo "Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done

2
kibana-opendistro/config/welcome_wazuh.sh
View File

@@ -8,7 +8,7 @@ then
echo "Set custom welcome styles"
cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs
cp -f /tmp/custom_welcome/security-login.style.css /usr/share/kibana/optimize/bundles/security-login.style.css
cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/optimize/bundles/light_theme.style.css
cp -f /tmp/custom_welcome/*svg /usr/share/kibana/optimize/bundles/
fi

34
nginx_conf/README.md
View File

@@ -1,34 +0,0 @@
### Enable SSL Traffic
Our Nginx config has SSL enabled by default, but it does require you to provide your certificate first, copy here your certificate files as `kibana-access.pem` and `kibana-access.key`.
The final tree should be like this:
```
nginx_conf/
├── kibana.htpasswd
├── kibana-web.conf
└── ssl
├── kibana-access.key
└── kibana-access.pem
```
#### Using a Self Signed Certificate
In case you want to use a self-signed certificate we provided a script to generate one.
Execute `bash generate-self-signed-cert.sh` inside the `ssl` directory and it will be generated. You must install `openssl` first.
### Setup Basic Authentication
The nginx configuration expects the file `kibana.htpasswd`.
This file can be generated with the `htpasswd` command.
```bash
htpasswd -c kibana.htpasswd username
```

20
nginx_conf/kibana-web.conf
View File

@@ -1,20 +0,0 @@
server {
listen 80;
listen [::]:80;
return 301 https://$host:443$request_uri;
}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/conf.d/ssl/kibana-access.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/kibana-access.key;
location / {
# auth_basic "Restricted Access";
# auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://kibana:5601/;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}

203
production-cluster.yml Normal file
View File

@@ -0,0 +1,203 @@
# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh-master:
build: wazuh-opendistro/
image: wazuh-opendistro
hostname: wazuh-master
restart: always
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=admin
- ELASTIC_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
volumes:
- ossec-api-configuration:/var/ossec/api/configuration
- ossec-etc:/var/ossec/etc
- ossec-logs:/var/ossec/logs
- ossec-queue:/var/ossec/queue
- ossec-var-multigroups:/var/ossec/var/multigroups
- ossec-integrations:/var/ossec/integrations
- ossec-active-response:/var/ossec/active-response/bin
- ossec-agentless:/var/ossec/agentless
- ossec-wodles:/var/ossec/wodles
- filebeat-etc:/etc/filebeat
- filebeat-var:/var/lib/filebeat
- ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
- ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
- ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
- ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh-worker:
build: wazuh-opendistro/
image: wazuh-opendistro
hostname: wazuh-worker
restart: always
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=admin
- ELASTIC_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
volumes:
- worker-ossec-api-configuration:/var/ossec/api/configuration
- worker-ossec-etc:/var/ossec/etc
- worker-ossec-logs:/var/ossec/logs
- worker-ossec-queue:/var/ossec/queue
- worker-ossec-var-multigroups:/var/ossec/var/multigroups
- worker-ossec-integrations:/var/ossec/integrations
- worker-ossec-active-response:/var/ossec/active-response/bin
- worker-ossec-agentless:/var/ossec/agentless
- worker-ossec-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
- ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
- ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
- ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
- ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.9.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-1:/usr/share/elasticsearch/data
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
- ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key
- ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem
- ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
elasticsearch-2:
image: amazon/opendistro-for-elasticsearch:1.9.0
hostname: elasticsearch-2
restart: always
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-2:/usr/share/elasticsearch/data
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
- ./production_cluster/ssl_certs/node2.key:/usr/share/elasticsearch/config/node2.key
- ./production_cluster/ssl_certs/node2.pem:/usr/share/elasticsearch/config/node2.pem
- ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
elasticsearch-3:
image: amazon/opendistro-for-elasticsearch:1.9.0
hostname: elasticsearch-3
restart: always
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-3:/usr/share/elasticsearch/data
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
- ./production_cluster/ssl_certs/node3.key:/usr/share/elasticsearch/config/node3.key
- ./production_cluster/ssl_certs/node3.pem:/usr/share/elasticsearch/config/node3.pem
- ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
kibana:
build: kibana-opendistro/
image: wazuh-kibana-opendistro
hostname: kibana
restart: always
ports:
- 5601:5601
environment:
- ELASTICSEARCH_USERNAME=admin
- ELASTICSEARCH_PASSWORD=SecretPassword
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem
- SERVER_SSL_KEY=/usr/share/kibana/config/key.pem
- WAZUH_API_URL="https://wazuh-master"
volumes:
- ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem
- ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh-master:wazuh-master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "80:80"
- "443:443"
- "1514:1514"
depends_on:
- wazuh-master
- wazuh-worker
- kibana
links:
- wazuh-master:wazuh-master
- wazuh-worker:wazuh-worker
- kibana:kibana
volumes:
- ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
volumes:
ossec-api-configuration:
ossec-etc:
ossec-logs:
ossec-queue:
ossec-var-multigroups:
ossec-integrations:
ossec-active-response:
ossec-agentless:
ossec-wodles:
filebeat-etc:
filebeat-var:
worker-ossec-api-configuration:
worker-ossec-etc:
worker-ossec-logs:
worker-ossec-queue:
worker-ossec-var-multigroups:
worker-ossec-integrations:
worker-ossec-active-response:
worker-ossec-agentless:
worker-ossec-wodles:
worker-filebeat-etc:
worker-filebeat-var:
elastic-data-1:
elastic-data-2:
elastic-data-3:

31
production_cluster/elastic_opendistro/elasticsearch-node1.yml Normal file
View File

@@ -0,0 +1,31 @@
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: node1.pem
opendistro_security.ssl.transport.pemkey_filepath: node1.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node1.pem
opendistro_security.ssl.http.pemkey_filepath: node1.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false

31
production_cluster/elastic_opendistro/elasticsearch-node2.yml Normal file
View File

@@ -0,0 +1,31 @@
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch-2
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: node2.pem
opendistro_security.ssl.transport.pemkey_filepath: node2.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node2.pem
opendistro_security.ssl.http.pemkey_filepath: node2.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false

31
production_cluster/elastic_opendistro/elasticsearch-node3.yml Normal file
View File

@@ -0,0 +1,31 @@
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch-3
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: node3.pem
opendistro_security.ssl.transport.pemkey_filepath: node3.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node3.pem
opendistro_security.ssl.http.pemkey_filepath: node3.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false

56
production_cluster/elastic_opendistro/internal_users.yml Normal file
View File

@@ -0,0 +1,56 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

6
nginx_conf/ssl/generate-self-signed-cert.sh → production_cluster/kibana_ssl/generate-self-signed-cert.sh
View File

@@ -3,10 +3,10 @@
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd $DIR
if [ -s kibana-access.key ]
if [ -s key.pem ]
then
echo "Aborting. Certificate already exists"
echo "Certificate already exists"
exit
else
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout kibana-access.key -out kibana-access.pem
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
fi

66
production_cluster/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,66 @@
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
# kibana UI
server {
listen 80;
listen [::]:80;
return 301 https://$host:443$request_uri;
}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
location / {
proxy_pass https://kibana:5601/;
proxy_ssl_verify off;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
}
# load balancer for Wazuh cluster
stream {
upstream mycluster {
hash $remote_addr consistent;
server wazuh-master:1514;
server wazuh-worker:1514;
}
server {
listen 1514;
proxy_pass mycluster;
}
}

12
production_cluster/nginx/ssl/generate-self-signed-cert.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd $DIR
if [ -s key.pem ]
then
echo "Certificate already exists"
exit
else
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
fi

30
production_cluster/ssl_certs/certs.yml Normal file
View File

@@ -0,0 +1,30 @@
ca:
root:
dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
pkPassword: none
keysize: 2048
file: root-ca.pem
intermediate:
dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
keysize: 2048
validityDays: 3650
pkPassword: intermediate-ca-password
file: intermediate-ca.pem
nodes:
- name: node1
dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
dns:
- elasticsearch
- name: node2
dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
dns:
- elasticsearch-2
- name: node3
dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
dns:
- elasticsearch-3
- name: filebeat
dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
dns:
- wazuh

349
production_cluster/wazuh_cluster/wazuh_manager.conf Normal file
View File

@@ -0,0 +1,349 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>4.2.2.1</white_list>
<white_list>4.2.2.2</white_list>
<white_list>208.67.220.220</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>manager</node_name>
<node_type>master</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

349
production_cluster/wazuh_cluster/wazuh_worker.conf Normal file
View File

@@ -0,0 +1,349 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>4.2.2.1</white_list>
<white_list>4.2.2.2</white_list>
<white_list>208.67.220.220</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>worker01</node_name>
<node_type>worker</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

6
wazuh-opendistro/Dockerfile
View File

@@ -3,7 +3,7 @@ FROM centos:7
ARG FILEBEAT_VERSION=7.8.0
ARG WAZUH_VERSION=4.0.0-1
ARG TEMPLATE_VERSION="develop"
ARG TEMPLATE_VERSION="master"
ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz"
ENV API_USER="foo" \
@@ -16,7 +16,7 @@ RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
RUN yum --enablerepo=updates clean metadata && \
yum -y install openssl which && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
yum -y install openssl which expect openssh-clients && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
yum clean all && rm -rf /var/cache/yum
@@ -25,7 +25,7 @@ RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-os
RUN curl -s https://packages-dev.wazuh.com/utils/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
ARG S6_VERSION="v2.0.0.1"
ARG S6_VERSION="v2.1.0.0"
RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
-o /tmp/s6-overlay-amd64.tar.gz && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \

71
wazuh-opendistro/config/etc/cont-init.d/2-manager
View File

@@ -1,3 +1,74 @@
#!/usr/bin/with-contenv bash
##############################################################################
# Migration sequence
# Detect if there is a mounted volume on /wazuh-migration and copy the data
# to /var/ossec, finally it will create a flag ".migration-completed" inside
# the mounted volume
##############################################################################
function __colortext()
{
echo -e " \e[1;$2m$1\e[0m"
}
function echogreen()
{
echo $(__colortext "$1" "32")
}
function echoyellow()
{
echo $(__colortext "$1" "33")
}
function_wazuh_migration(){
if [ -d "/wazuh-migration" ]; then
if [ ! -e /wazuh-migration/.migration-completed ]; then
if [ ! -e /wazuh-migration/global.db ]; then
echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
return
fi
\cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
chown root:ossec /var/ossec/etc/ossec.conf
chmod 640 /var/ossec/etc/ossec.conf
\cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
chown ossec:ossec /var/ossec/etc/client.keys
chmod 640 /var/ossec/etc/client.keys
\cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
\cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
\cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
chown ossec:ossec /var/ossec/etc/shared/default/agent.conf
chmod 660 /var/ossec/etc/shared/default/agent.conf
if [ -e /wazuh-migration/data/agentless/.passlist ]; then
\cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
chown root:ossec /var/ossec/agentless/.passlist
chmod 640 /var/ossec/agentless/.passlist
fi
\cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
chown ossec:ossec /var/ossec/queue/db/global.db
chmod 640 /var/ossec/queue/db/global.db
# mark volume as migrated
touch /wazuh-migration/.migration-completed
echogreen "Migration completed succesfully"
else
echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
fi
fi
}
# Migrate data from /wazuh-migration volume
function_wazuh_migration
# Start Wazuh
/var/ossec/bin/ossec-control start