Change directories structure

build-docker-images/wazuh-indexer/Dockerfile

@@ -0,0 +1,72 @@
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+FROM ubuntu:focal AS builder
+
+RUN apt-get update -y && apt-get install curl openssl xz-utils -y
+
+COPY config/opensearch.yml /
+
+COPY config/config.sh .
+
+COPY config/config.yml /
+
+COPY config/internal_users.yml /
+
+COPY config/roles_mapping.yml /
+
+COPY config/roles.yml /
+
+RUN bash config.sh
+
+################################################################################
+# Build stage 1 (the actual Wazuh indexer image):
+#
+# Copy wazuh-indexer from stage 0
+# Add entrypoint
+################################################################################
+FROM ubuntu:focal
+
+ENV USER="wazuh-indexer" \
+    GROUP="wazuh-indexer" \
+    NAME="wazuh-indexer" \
+    INSTALL_DIR="/usr/share/wazuh-indexer"
+
+RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
+
+RUN useradd --system \
+            --uid 1000 \
+            --no-create-home \
+            --home-dir $INSTALL_DIR \
+            --gid $GROUP \
+            --shell /sbin/nologin \
+            --comment "$USER user" \
+            $USER
+
+WORKDIR $INSTALL_DIR
+
+COPY config/entrypoint.sh /
+
+COPY config/securityadmin.sh /
+
+RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
+
+RUN chown 1000:1000 /*.sh
+
+COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
+COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
+COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
+COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
+
+
+RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
+    mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
+    mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
+    mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer
+
+USER wazuh-indexer
+
+# Services ports
+EXPOSE 9200
+
+ENTRYPOINT ["/entrypoint.sh"]
+# Dummy overridable parameter parsed by entrypoint
+CMD ["opensearchwrapper"]

build-docker-images/wazuh-indexer/config/config.sh

@@ -0,0 +1,106 @@
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# This has to be exported to make some magic below work.
+export DH_OPTIONS
+
+export NAME=wazuh-indexer
+export TARGET_DIR=${CURDIR}/debian/${NAME}
+
+# Package build options
+export USER=${NAME}
+export GROUP=${NAME}
+export VERSION=4.3.0
+export LOG_DIR=/var/log/${NAME}
+export LIB_DIR=/var/lib/${NAME}
+export PID_DIR=/run/${NAME}
+export INSTALLATION_DIR=/usr/share/${NAME}
+export CONFIG_DIR=${INSTALLATION_DIR}/config
+export BASE_DIR=${NAME}-*
+export INDEXER_FILE=wazuh-indexer-base.tar.xz
+export BASE_FILE=wazuh-indexer-base-${VERSION}-linux-x64.tar.xz
+export REPO_DIR=/unattended_installer
+
+
+rm -rf ${INSTALLATION_DIR}/
+
+curl -o ${INDEXER_FILE} https://packages-dev.wazuh.com/stack/indexer/base/${BASE_FILE}
+tar -xf ${INDEXER_FILE}
+
+## TOOLS
+
+## Variables
+CERT_TOOL=wazuh-certs-tool.sh
+PASSWORD_TOOL=wazuh-passwords-tool.sh
+PACKAGES_URL=https://packages.wazuh.com/4.3/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.3/
+
+## Check if the cert tool exists in S3 buckets
+CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+
+## If cert tool exists in some bucket, download it, if not exit 1
+if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
+  curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
+  echo "Cert tool exists in Packages bucket"
+elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
+  curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
+  echo "Cert tool exists in Packages-dev bucket"
+else
+  echo "Cert tool does not exist in any bucket"
+  exit 1
+fi
+
+
+## Check if the password tool exists in S3 buckets
+PASSWORD_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+PASSWORD_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+
+## If password tool exists in some bucket, download it, if not exit 1
+if [ "$PASSWORD_TOOL_PACKAGES" = "200" ]; then
+  curl -o $PASSWORD_TOOL $PACKAGES_URL$PASSWORD_TOOL
+  echo "Password tool exists in Packages bucket"
+elif [ "$PASSWORD_TOOL_PACKAGES_DEV" = "200" ]; then
+  curl -o $PASSWORD_TOOL $PACKAGES_DEV_URL$PASSWORD_TOOL
+  echo "Password tool exists in Packages-dev bucket"
+else
+  echo "Password tool does not exist in any bucket"
+  exit 1
+fi
+
+chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
+
+# copy to target
+mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}
+mkdir -p ${TARGET_DIR}${CONFIG_DIR}
+mkdir -p ${TARGET_DIR}${LIB_DIR}
+mkdir -p ${TARGET_DIR}${LOG_DIR}
+mkdir -p ${TARGET_DIR}/etc/init.d
+mkdir -p ${TARGET_DIR}/etc/default
+mkdir -p ${TARGET_DIR}/usr/lib/tmpfiles.d
+mkdir -p ${TARGET_DIR}/usr/lib/sysctl.d
+mkdir -p ${TARGET_DIR}/usr/lib/systemd/system
+# Move configuration files for wazuh-indexer
+mv -f ${BASE_DIR}/etc/init.d/${NAME} ${TARGET_DIR}/etc/init.d/${NAME}
+mv -f ${BASE_DIR}/etc/wazuh-indexer/* ${TARGET_DIR}${CONFIG_DIR}
+mv -f ${BASE_DIR}/etc/sysconfig/${NAME} ${TARGET_DIR}/etc/default/
+mv -f ${BASE_DIR}/usr/lib/tmpfiles.d/* ${TARGET_DIR}/usr/lib/tmpfiles.d/
+mv -f ${BASE_DIR}/usr/lib/sysctl.d/* ${TARGET_DIR}/usr/lib/sysctl.d/
+mv -f ${BASE_DIR}/usr/lib/systemd/system/* ${TARGET_DIR}/usr/lib/systemd/system/
+rm -rf ${BASE_DIR}/etc
+rm -rf ${BASE_DIR}/usr
+# Copy installation files to final location
+cp -pr ${BASE_DIR}/* ${TARGET_DIR}${INSTALLATION_DIR}
+# Copy the security tools
+cp /$CERT_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/
+cp /$PASSWORD_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/
+# Copy Wazuh's config files for the security plugin
+cp -pr /roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
+cp -pr /roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
+cp -pr /internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
+cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR}
+# Copy Wazuh indexer's certificates
+cp -pr /wazuh-certificates/demo.indexer.pem ${TARGET_DIR}${CONFIG_DIR}/indexer.pem
+cp -pr /wazuh-certificates/demo.indexer-key.pem ${TARGET_DIR}${CONFIG_DIR}/indexer-key.pem
+cp -pr /wazuh-certificates/root-ca.key ${TARGET_DIR}${CONFIG_DIR}/root-ca.key
+cp -pr /wazuh-certificates/root-ca.pem ${TARGET_DIR}${CONFIG_DIR}/root-ca.pem
+cp -pr /wazuh-certificates/admin.pem ${TARGET_DIR}${CONFIG_DIR}/admin.pem
+cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/admin-key.pem

build-docker-images/wazuh-indexer/config/config.yml

@@ -0,0 +1,5 @@
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    name: demo.indexer
+    ip: demo.indexer

build-docker-images/wazuh-indexer/config/entrypoint.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+set -e
+
+umask 0002
+
+export USER=wazuh-indexer
+export INSTALLATION_DIR=/usr/share/wazuh-indexer
+export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
+export JAVA_HOME=${INSTALLATION_DIR}/jdk
+export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
+export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
+export CERT="${OPENSEARCH_PATH_CONF}/admin.pem"
+export KEY="${OPENSEARCH_PATH_CONF}/admin-key.pem"
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000:0 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+# Allow user specify custom CMD, maybe bin/opensearch itself
+# for example to directly specify `-E` style parameters for opensearch on k8s
+# or simply to run /bin/bash to check the image
+if [[ "$1" != "opensearchwrapper" ]]; then
+  if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then
+    # Rewrite CMD args to replace $1 with `opensearch` explicitly,
+    # Without this, user could specify `opensearch -E x.y=z` but
+    # `bin/opensearch -E x.y=z` would not work.
+    set -- "opensearch" "${@:2}"
+    # Use chroot to switch to UID 1000 / GID 0
+    exec chroot --userspec=1000:0 / "$@"
+  else
+    # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
+    exec "$@"
+  fi
+fi
+
+# Allow environment variables to be set by creating a file with the
+# contents, and setting an environment variable with the suffix _FILE to
+# point to it. This can be used to provide secrets to a container, without
+# the values being specified explicitly when running the container.
+#
+# This is also sourced in opensearch-env, and is only needed here
+# as well because we use INDEXER_PASSWORD below. Sourcing this script
+# is idempotent.
+source /usr/share/wazuh-indexer/bin/opensearch-env-from-file
+
+if [[ -f bin/opensearch-users ]]; then
+  # Check for the INDEXER_PASSWORD environment variable to set the
+  # bootstrap password for Security.
+  #
+  # This is only required for the first node in a cluster with Security
+  # enabled, but we have no way of knowing which node we are yet. We'll just
+  # honor the variable if it's present.
+  if [[ -n "$INDEXER_PASSWORD" ]]; then
+    [[ -f /usr/share/wazuh-indexer/config/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create)
+    if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then
+      # keystore is unencrypted
+      if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then
+        (run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password')
+      fi
+    else
+      # keystore requires password
+      if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
+          | opensearch-keystore list | grep -q '^bootstrap.password$') ; then
+        COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")"
+        (run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password')
+      fi
+    fi
+  fi
+fi
+
+if [[ "$(id -u)" == "0" ]]; then
+  # If requested and running as root, mutate the ownership of bind-mounts
+  if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
+    chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
+  fi
+fi
+
+
+if [[ "$DISCOVERY" == "single-node" ]]; then
+  # run securityadmin.sh for single node with CACERT, CERT and KEY parameter
+  nohup /securityadmin.sh &
+fi
+
+run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"

build-docker-images/wazuh-indexer/config/internal_users.yml

@@ -0,0 +1,74 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  backend_roles:
+  - "logstash"
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+  description: "Demo snapshotrestore user"
+
+wazuh_admin:
+  hash: "$2y$12$d2awHiOYvZjI88VfsDON.u6buoBol0gYPJEgdG1ArKVE0OMxViFfu"
+  reserved: true
+  hidden: false
+  backend_roles: []
+  attributes: {}
+  opendistro_security_roles: []
+  static: false
+  
+wazuh_user:
+  hash: "$2y$12$BQixeoQdRubZdVf/7sq1suHwiVRnSst1.lPI2M0.GPZms4bq2D9vO"
+  reserved: true
+  hidden: false
+  backend_roles: []
+  attributes: {}
+  opendistro_security_roles: []
+  static: false  

build-docker-images/wazuh-indexer/config/opensearch.yml

@@ -0,0 +1,27 @@
+network.host: "0.0.0.0"
+node.name: "wazuh.indexer"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+discovery.type: single-node
+compatibility.override_main_response_version: true
+plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/indexer.pem
+plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/indexer-key.pem
+plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/indexer-key.pem
+plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.audit.type: internal_opensearch
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=demo.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

build-docker-images/wazuh-indexer/config/roles.yml

@@ -0,0 +1,163 @@
+_meta:
+  type: "roles"
+  config_version: 2
+
+# Restrict users so they can only view visualization and dashboards on kibana
+kibana_read_only:
+  reserved: true
+
+# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
+security_rest_api_access:
+  reserved: true
+
+# Allows users to view monitors, destinations and alerts
+alerting_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/alerting/alerts/get'
+    - 'cluster:admin/opendistro/alerting/destination/get'
+    - 'cluster:admin/opendistro/alerting/monitor/get'
+    - 'cluster:admin/opendistro/alerting/monitor/search'
+
+# Allows users to view and acknowledge alerts
+alerting_ack_alerts:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/alerting/alerts/*'
+
+# Allows users to use all alerting functionality
+alerting_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster_monitor'
+    - 'cluster:admin/opendistro/alerting/*'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices_monitor'
+        - 'indices:admin/aliases/get'
+        - 'indices:admin/mappings/get'
+
+# Allow users to read Anomaly Detection detectors and results
+anomaly_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/ad/detector/info'
+    - 'cluster:admin/opendistro/ad/detector/search'
+    - 'cluster:admin/opendistro/ad/detectors/get'
+    - 'cluster:admin/opendistro/ad/result/search'
+    - 'cluster:admin/opendistro/ad/tasks/search'
+
+# Allows users to use all Anomaly Detection functionality
+anomaly_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster_monitor'
+    - 'cluster:admin/opendistro/ad/*'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices_monitor'
+        - 'indices:admin/aliases/get'
+        - 'indices:admin/mappings/get'
+
+# Allows users to read Notebooks
+notebooks_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/notebooks/list'
+    - 'cluster:admin/opendistro/notebooks/get'
+
+# Allows users to all Notebooks functionality
+notebooks_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/notebooks/create'
+    - 'cluster:admin/opendistro/notebooks/update'
+    - 'cluster:admin/opendistro/notebooks/delete'
+    - 'cluster:admin/opendistro/notebooks/get'
+    - 'cluster:admin/opendistro/notebooks/list'
+
+# Allows users to read and download Reports
+reports_instances_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/reports/instance/list'
+    - 'cluster:admin/opendistro/reports/instance/get'
+    - 'cluster:admin/opendistro/reports/menu/download'
+
+# Allows users to read and download Reports and Report-definitions
+reports_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/reports/definition/get'
+    - 'cluster:admin/opendistro/reports/definition/list'
+    - 'cluster:admin/opendistro/reports/instance/list'
+    - 'cluster:admin/opendistro/reports/instance/get'
+    - 'cluster:admin/opendistro/reports/menu/download'
+
+# Allows users to all Reports functionality
+reports_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/reports/definition/create'
+    - 'cluster:admin/opendistro/reports/definition/update'
+    - 'cluster:admin/opendistro/reports/definition/on_demand'
+    - 'cluster:admin/opendistro/reports/definition/delete'
+    - 'cluster:admin/opendistro/reports/definition/get'
+    - 'cluster:admin/opendistro/reports/definition/list'
+    - 'cluster:admin/opendistro/reports/instance/list'
+    - 'cluster:admin/opendistro/reports/instance/get'
+    - 'cluster:admin/opendistro/reports/menu/download'
+
+# Allows users to use all asynchronous-search functionality
+asynchronous_search_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/asynchronous_search/*'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices:data/read/search*'
+
+# Allows users to read stored asynchronous-search results
+asynchronous_search_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/asynchronous_search/get'
+
+wazuh_ui_user:
+  reserved: true
+  hidden: false
+  cluster_permissions: []
+  index_permissions:
+  - index_patterns:
+    - "wazuh-*"
+    dls: ""
+    fls: []
+    masked_fields: []
+    allowed_actions:
+    - "read"
+  tenant_permissions: []
+  static: false        
+
+wazuh_ui_admin:
+  reserved: true
+  hidden: false
+  cluster_permissions: []
+  index_permissions:
+  - index_patterns:
+    - "wazuh-*"
+    dls: ""
+    fls: []
+    masked_fields: []
+    allowed_actions:
+    - "read"
+    - "delete"
+    - "manage"
+    - "index"
+  tenant_permissions: []
+  static: false  

build-docker-images/wazuh-indexer/config/roles_mapping.yml

@@ -0,0 +1,71 @@
+---
+# In this file users, backendroles and hosts can be mapped to Open Distro Security roles.
+# Permissions for Opendistro roles are configured in roles.yml
+
+_meta:
+  type: "rolesmapping"
+  config_version: 2
+
+# Define your roles mapping here
+
+## Demo roles mapping
+
+all_access:
+  reserved: false
+  backend_roles:
+  - "admin"
+  description: "Maps admin to all_access"
+
+own_index:
+  reserved: false
+  users:
+  - "*"
+  description: "Allow full access to an index named like the username"
+
+logstash:
+  reserved: false
+  backend_roles:
+  - "logstash"
+
+kibana_user:
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  users:
+  - "wazuh_user"
+  - "wazuh_admin"    
+  description: "Maps kibanauser to kibana_user"
+
+readall:
+  reserved: false
+  backend_roles:
+  - "readall"
+
+manage_snapshots:
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+
+kibana_server:
+  reserved: true
+  users:
+  - "kibanaserver"
+
+wazuh_ui_admin:
+  reserved: true
+  hidden: false
+  backend_roles: []
+  hosts: []
+  users:
+  - "wazuh_admin"
+  - "kibanaserver"
+  and_backend_roles: []
+
+wazuh_ui_user:
+  reserved: true
+  hidden: false
+  backend_roles: []
+  hosts: []
+  users:
+  - "wazuh_user"
+  and_backend_roles: []

build-docker-images/wazuh-indexer/config/securityadmin.sh

@@ -0,0 +1,3 @@
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+sleep 30
+bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9300 -icl