Merge 4.12.1 into 4.13.0

build-docker-images/README.md

@@ -13,7 +13,7 @@ This script initializes the environment variables needed to build each of the im
 The script allows you to build images from other versions of Wazuh, to do this you must use the -v or --version argument:
 
 ```
-$ build-docker-images/build-images.sh -v 4.12.1
+$ build-docker-images/build-images.sh -v 4.13.0
 ```
 
 To get all the available script options use the -h or --help option:
@@ -26,7 +26,7 @@ Usage: build-docker-images/build-images.sh [OPTIONS]
     -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default.
     -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default 0.4.
     -r, --revision <rev>         [Optional] Package revision. By default 1
-    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 4.12.1.
+    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 4.13.0.
     -h, --help                   Show this help.
 
 ```

build-docker-images/build-images.sh

@@ -1,4 +1,4 @@
-WAZUH_IMAGE_VERSION=4.12.1
+WAZUH_IMAGE_VERSION=4.13.0
 WAZUH_VERSION=$(echo $WAZUH_IMAGE_VERSION | sed -e 's/\.//g')
 WAZUH_TAG_REVISION=1
 WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '["]tag_name["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g')
@@ -12,7 +12,7 @@ IMAGE_VERSION=${WAZUH_IMAGE_VERSION}
 # License (version 2) as published by the FSF - Free Software
 # Foundation.
 
-WAZUH_IMAGE_VERSION="4.12.1"
+WAZUH_IMAGE_VERSION="4.13.0"
 WAZUH_TAG_REVISION="1"
 WAZUH_DEV_STAGE=""
 FILEBEAT_MODULE_VERSION="0.4"
@@ -65,7 +65,7 @@ build() {
     echo WAZUH_FILEBEAT_MODULE=$WAZUH_FILEBEAT_MODULE >> .env
     echo WAZUH_UI_REVISION=$WAZUH_UI_REVISION >> .env
 
-    docker-compose -f build-docker-images/build-images.yml --env-file .env build --no-cache || clean 1
+    docker compose -f build-docker-images/build-images.yml --env-file .env build --no-cache || clean 1
 
     return 0
 }

build-docker-images/build-images.yml

@@ -1,6 +1,4 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-version: '3.7'
-
 services:
   wazuh.manager:
     build:
@@ -36,6 +34,16 @@ services:
       - filebeat_etc:/etc/filebeat
       - filebeat_var:/var/lib/filebeat
 
+  wazuh.agent:
+    build:
+      context: wazuh-agent/
+      args:
+        WAZUH_VERSION: ${WAZUH_VERSION}
+        WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
+    image: wazuh/wazuh-agent:${WAZUH_IMAGE_VERSION}
+    hostname: wazuh.agent
+    restart: always
+
   wazuh.indexer:
     build:
       context: wazuh-indexer/

build-docker-images/wazuh-agent/Dockerfile

@@ -0,0 +1,36 @@
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+FROM amazonlinux:2023
+
+RUN rm /bin/sh && ln -s /bin/bash /bin/sh
+
+ARG WAZUH_VERSION
+ARG WAZUH_TAG_REVISION
+ARG S6_VERSION="v2.2.0.3"
+ARG WAZUH_MANAGER='CHANGE_MANAGER_IP'
+ARG WAZUH_MANAGER_PORT='CHANGE_MANAGER_PORT'
+ARG WAZUH_REGISTRATION_SERVER='CHANGE_ENROLL_IP'
+ARG WAZUH_REGISTRATION_PORT='CHANGE_ENROLL_PORT'
+ARG WAZUH_AGENT_NAME='CHANGEE_AGENT_NAME'
+
+COPY config/check_repository.sh /
+
+RUN yum install curl-minimal tar gzip procps -y &&\
+    yum clean all
+
+RUN chmod 775 /check_repository.sh
+RUN source /check_repository.sh
+
+RUN yum install wazuh-agent-${WAZUH_VERSION}-${WAZUH_TAG_REVISION} -y && \
+    yum clean all && \
+    sed -i '/<authorization_pass_path>/d' /var/ossec/etc/ossec.conf && \
+    curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
+    -o /tmp/s6-overlay-amd64.tar.gz && \
+    tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
+    tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
+    rm  /tmp/s6-overlay-amd64.tar.gz
+
+COPY config/etc/ /etc/
+
+RUN rm /etc/yum.repos.d/wazuh.repo
+
+ENTRYPOINT [ "/init" ]

build-docker-images/wazuh-agent/config/check_repository.sh

@@ -0,0 +1,15 @@
+## variables
+APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
+GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
+REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
+WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags | grep '["]ref["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/'  | cut -c 11- | grep ^v${WAZUH_VERSION}$)
+
+## check tag to use the correct repository
+if [[ -n "${WAZUH_TAG}" ]]; then
+  APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+  GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
+  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
+fi
+
+rpm --import "${APT_KEY}"
+echo -e "${REPOSITORY}" | tee /etc/yum.repos.d/wazuh.repo

build-docker-images/wazuh-agent/config/etc/cont-init.d/0-wazuh-init

@@ -0,0 +1,90 @@
+#!/usr/bin/with-contenv bash
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+
+WAZUH_INSTALL_PATH=/var/ossec
+WAZUH_CONFIG_MOUNT=/wazuh-config-mount
+WAZUH_MANAGER_SERVER=$WAZUH_MANAGER_SERVER
+WAZUH_MANAGER_PORT=${WAZUH_MANAGER_PORT:-"1514"}
+WAZUH_REGISTRATION_SERVER=${WAZUH_REGISTRATION_SERVER:-$WAZUH_MANAGER_SERVER}
+WAZUH_REGISTRATION_PORT=${WAZUH_REGISTRATION_PORT:-"1515"}
+WAZUH_REGISTRATION_PASSWORD=$WAZUH_REGISTRATION_PASSWORD
+WAZUH_AGENT_NAME=${WAZUH_AGENT_NAME:-"wazuh-agent-$HOSTNAME"}
+
+##############################################################################
+# Aux functions
+##############################################################################
+print() {
+  echo -e $1
+}
+
+error_and_exit() {
+  echo "Error executing command: '$1'."
+  echo 'Exiting.'
+  exit 1
+}
+
+exec_cmd() {
+  eval $1 > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+exec_cmd_stdout() {
+  eval $1 2>&1 || error_and_exit "$1"
+}
+
+##############################################################################
+# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
+# destination files permissions
+#
+# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
+# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
+# replace the ossec.conf file in /var/ossec/data/etc with yours.
+##############################################################################
+
+mount_files() {
+  if [ -e "$WAZUH_CONFIG_MOUNT" ]
+  then
+    print "Identified Wazuh configuration files to mount..."
+    exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH"
+  else
+    print "No Wazuh configuration files to mount..."
+  fi
+}
+
+##############################################################################
+# Allow users to set the manager ip and port, enrollment ip and port and
+# enroll dynamically on container start.
+#
+# To use this:
+# 1. Create your own ossec.conf file
+# 2. In your ossec.conf file, use the <agent> configuration
+# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
+##############################################################################
+
+set_manager_conn() {
+  echo "ossec.conf configuration"
+  sed -i "s#<address>CHANGE_MANAGER_IP</address>#<address>$WAZUH_MANAGER_SERVER</address>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  sed -i "s#<port>CHANGE_MANAGER_PORT</port>#<port>$WAZUH_MANAGER_PORT</port>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  sed -i "s#<manager_address>CHANGE_ENROLL_IP</manager_address>#<manager_address>$WAZUH_REGISTRATION_SERVER</manager_address>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  sed -i "s#<port>CHANGE_ENROLL_PORT</port>#<port>$WAZUH_REGISTRATION_PORT</port>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  sed -i "s#<agent_name>CHANGEE_AGENT_NAME</agent_name>#<agent_name>$WAZUH_AGENT_NAME</agent_name>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  [ -n "$WAZUH_REGISTRATION_PASSWORD" ] && \
+  echo "$WAZUH_REGISTRATION_PASSWORD" > ${WAZUH_INSTALL_PATH}/etc/authd.pass && \
+  chown root:wazuh ${WAZUH_INSTALL_PATH}/etc/authd.pass && \
+  chmod 640 ${WAZUH_INSTALL_PATH}/etc/authd.pass
+}
+
+##############################################################################
+# Main function
+##############################################################################
+
+main() {
+
+  # Mount selected files (WAZUH_CONFIG_MOUNT) to container
+  mount_files
+
+  # Configure agent variables
+  set_manager_conn
+
+}
+
+main

build-docker-images/wazuh-agent/config/etc/cont-init.d/1-agent

@@ -0,0 +1,44 @@
+#!/usr/bin/with-contenv bash
+
+##############################################################################
+# Migration sequence
+# Detect if there is a mounted volume on /wazuh-migration and copy the data
+# to /var/ossec, finally it will create a flag ".migration-completed" inside
+# the mounted volume
+##############################################################################
+
+function __colortext()
+{
+  echo -e " \e[1;$2m$1\e[0m"
+}
+
+function echogreen()
+{
+  echo $(__colortext "$1" "32")
+}
+
+function echoyellow()
+{
+  echo $(__colortext "$1" "33")
+}
+
+function echored()
+{
+  echo $(__colortext "$1" "31")
+}
+
+function_entrypoint_scripts() {
+  # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+  if [ -d "/entrypoint-scripts/" ]
+  then
+    for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+      bash "$script"
+    done
+  fi
+}
+
+# run entrypoint scripts
+function_entrypoint_scripts
+
+# Start Wazuh
+/var/ossec/bin/wazuh-control start

build-docker-images/wazuh-agent/config/etc/services.d/ossec-logs/run

@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv sh
+
+# dumping ossec.log to standard output
+exec tail -F /var/ossec/logs/ossec.log

build-docker-images/wazuh-agent/config/wazuh-agent-conf

@@ -0,0 +1,194 @@
+<!--
+  Wazuh - Agent - Default configuration for amzn 2023
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <client>
+    <server>
+      <address>CHANGE_MANAGER_IP</address>
+      <port>CHANGE_MANAGER_PORT</port>
+      <protocol>tcp</protocol>
+    </server>
+    <config-profile>amzn, amzn2023</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+    <enrollment>
+      <enabled>yes</enabled>
+      <manager_address>CHANGE_ENROLL_IP</manager_address>
+      <port>CHANGE_ENROLL_PORT</port>
+      <agent_name>CHANGEE_AGENT_NAME</agent_name>
+      <authorization_pass_path>etc/authd.pass</authorization_pass_path>
+    </enrollment>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>50</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+</ossec_config>

build-docker-images/wazuh-dashboard/config/config.sh

@@ -9,8 +9,8 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config
 
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/4.12/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.12/
+PACKAGES_URL=https://packages.wazuh.com/4.13/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.13/
 
 ## Check if the cert tool exists in S3 buckets
 CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')

build-docker-images/wazuh-indexer/config/config.sh

@@ -22,8 +22,8 @@ export REPO_DIR=/unattended_installer
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
 PASSWORD_TOOL=wazuh-passwords-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/4.12/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.12/
+PACKAGES_URL=https://packages.wazuh.com/4.13/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.13/
 
 ## Check if the cert tool exists in S3 buckets
 CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')

build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager

@@ -115,8 +115,8 @@ function_entrypoint_scripts() {
 function_configure_vulnerability_detection() {
 if [ "$INDEXER_PASSWORD" != "" ]; then
   >&2 echo "Configuring password."
-  /var/ossec/bin/wazuh-keystore -f indexer -k username -v $INDEXER_USERNAME
-  /var/ossec/bin/wazuh-keystore -f indexer -k password -v $INDEXER_PASSWORD
+    echo "$INDEXER_USERNAME" | /var/ossec/bin/wazuh-keystore -f indexer -k username
+    echo "$INDEXER_PASSWORD" | /var/ossec/bin/wazuh-keystore -f indexer -k password
 fi
 }