Increase the default Node.js heap memory.

Improved Kibana Image to include all Dependencies

README.md

@@ -1,4 +1,9 @@
-# Wazuh containers for Docker 
+# Wazuh containers for Docker
+
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
+[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
+[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
+[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
 
 In this repository you will find the containers to run:
 
@@ -10,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 ## Current release
 
-Containers are currently tested on Wazuh version 2.0 and Elastic Stack version 5.5.1. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 3.1.0 and Elastic Stack version 6.1.0. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
 ## Installation notes
 

docker-compose.yml

@@ -13,8 +13,8 @@ services:
     networks:
         - docker_elk
 #    volumes:
-#      - my-path:/var/ossec/data
+#      - my-path:/var/ossec/data:Z
-#      - my-path:/etc/postfix
+#      - my-path:/etc/postfix:Z
     depends_on:
       - elasticsearch
   logstash:
@@ -23,7 +23,7 @@ services:
     restart: always
     command: -f /etc/logstash/conf.d/
 #    volumes:
-#      - my-path:/etc/logstash/conf.d
+#      - my-path:/etc/logstash/conf.d:Z
     links:
      - kibana
      - elasticsearch:elasticsearch
@@ -35,35 +35,68 @@ services:
       - elasticsearch
     environment:
       - LS_HEAP_SIZE=2048m
+      - XPACK_MONITORING_ENABLED=false
   elasticsearch:
-    image: elasticsearch:5.5.1
+    image: docker.elastic.co/elasticsearch/elasticsearch:6.1.3
     hostname: elasticsearch
     restart: always
-    command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0
     ports:
       - "9200:9200"
-      - "9300:9300"
+#      - "9300:9300"
     environment:
-      ES_JAVA_OPTS: "-Xms2g -Xmx2g"
+      - node.name=node-1
+      - cluster.name=wazuh
+      - network.host=0.0.0.0
+      - bootstrap.memory_lock=true
+      - xpack.security.enabled=false
+      - xpack.monitoring.enabled=false
+      - xpack.ml.enabled=false
+      - xpack.watcher.enabled=false
+      - xpack.graph.enabled=false
+      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    mem_limit: 2g
 #    volumes:
-#      - my-path:/usr/share/elasticsearch/data
+#      - my-path:/usr/share/elasticsearch/data:Z
     networks:
         - docker_elk
   kibana:
     image: wazuh/wazuh-kibana
     hostname: kibana
     restart: always
-    ports:
+#    ports:
-      - "5601:5601"
+#      - "5601:5601"
+    environment:
+      - "NODE_OPTIONS=--max-old-space-size=3072"
     networks:
-        - docker_elk
+      - docker_elk
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
-    entrypoint: sh wait-for-it.sh elasticsearch
+      - wazuh
-#    environment:
+    entrypoint: /wait-for-it.sh elasticsearch
-#      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.1.0-5.5.1.zip"
+  nginx:
+    image: wazuh/wazuh-nginx
+    hostname: nginx
+    restart: always
+    entrypoint: /run.sh
+    environment:
+      - NGINX_PORT=443
+    ports:
+      - "80:80"
+      - "443:443"
+#    volumes:
+#      - my-path:/etc/nginx/conf.d:Z
+    networks:
+      - docker_elk
+    depends_on:
+      - kibana
+    links:
+      - kibana
 
 networks:
   docker_elk:

kibana/Dockerfile

@@ -1,7 +1,21 @@
-FROM kibana:5.5.1
+FROM docker.elastic.co/kibana/kibana:6.1.3
 
-RUN apt-get update && apt-get install -y curl
+USER root
 
-COPY ./config/kibana.yml /opt/kibana/config/kibana.yml
+COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml
 
-COPY config/wait-for-it.sh /
+COPY config/wait-for-it.sh /wait-for-it.sh
+
+ADD https://packages.wazuh.com/wazuhapp/wazuhapp-3.1.0_6.1.3.zip /tmp
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.1/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.1/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json /usr/share/kibana/config
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.1/extensions/elasticsearch/alert_sample.json /usr/share/kibana/config
+
+RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-3.1.0_6.1.3.zip
+
+RUN rm -rf /tmp/*
+
+RUN chmod 755 /wait-for-it.sh

kibana/config/kibana.yml

@@ -81,7 +81,7 @@ elasticsearch.url: "http://elasticsearch:9200"
 # logging.silent: false
 
 # Set the value of this setting to true to suppress all logging output other than error messages.
-# logging.quiet: false
+logging.quiet: true
 
 # Set the value of this setting to true to log all events, including system usage information
 # and all requests.
@@ -90,3 +90,10 @@ elasticsearch.url: "http://elasticsearch:9200"
 # Set the interval in milliseconds to sample system and process performance
 # metrics. Minimum is 100ms. Defaults to 10000.
 # ops.interval: 10000
+
+xpack.security.enabled: false
+xpack.grokdebugger.enabled: false
+xpack.graph.enabled: false
+xpack.ml.enabled: false
+xpack.monitoring.enabled: false
+xpack.reporting.enabled: false

kibana/config/wait-for-it.sh

@@ -5,21 +5,54 @@ set -e
 host="$1"
 shift
 cmd="kibana"
-WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.0_5.5.1.zip}
 
 until curl -XGET $host:9200; do
   >&2 echo "Elastic is unavailable - sleeping"
-  sleep 1
+  sleep 5
 done
 
-sleep 30
-
 >&2 echo "Elastic is up - executing command"
 
-if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then
+sleep 5
-  echo "Wazuh APP already installed"
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
+
+sleep 5
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-
+
+#Insert sample alert:
+sleep 5
+cat /usr/share/kibana/config/alert_sample.json | curl -XPUT "http://elasticsearch:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
+
+sleep 5
+echo "Setting API credentials into Wazuh APP"
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013)
+if [ "x$CONFIG_CODE" = "x404" ]; then
+  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
+    {
+      "api_user": "foo",
+      "api_password": "YmFy",
+      "url": "https://wazuh",
+      "api_port": "55000",
+      "insecure": "true",
+      "component": "API",
+      "cluster_info": {
+        "manager": "wazuh-manager",
+        "cluster": "Disabled",
+        "status": "disabled"
+       },
+      "extensions": {
+        "oscap": true,
+        "audit": true,
+        "pci": true
+      }
+    }
+    ' > /dev/null
 else
-  /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
+  echo "Wazuh APP already configured"
 fi
 
+sleep 5
+
 exec $cmd

logstash/Dockerfile

@@ -1,12 +1,3 @@
-FROM logstash:5.5.1
+FROM docker.elastic.co/logstash/logstash:6.1.3
-
-RUN apt-get update
 
 COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
-COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
-
-
-ADD config/run.sh /tmp/run.sh
-RUN chmod 755 /tmp/run.sh
-
-ENTRYPOINT ["/tmp/run.sh"]

logstash/config/logstash.conf

@@ -4,22 +4,26 @@ input {
     beats {
         port => 5000
         codec => "json_lines"
-#        ssl => true
+#       ssl => true
-#        ssl_certificate => "/etc/logstash/logstash.crt"
+#       ssl_certificate => "/etc/logstash/logstash.crt"
-#        ssl_key => "/etc/logstash/logstash.key"
+#       ssl_key => "/etc/logstash/logstash.key"
+    }
+}
+filter {
+    if [data][srcip] {
+        mutate {
+            add_field => [ "@src_ip", "%{[data][srcip]}" ]
+        }
+    }
+    if [data][aws][sourceIPAddress] {
+        mutate {
+            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
+        }
     }
 }
-## Local Wazuh Manager - JSON file input
-#input {
-#   file {
-#       type => "wazuh-alerts"
-#       path => "/var/ossec/logs/alerts/alerts.json"
-#       codec => "json"
-#   }
-#}
 filter {
     geoip {
-        source => "srcip"
+        source => "@src_ip"
         target => "GeoLocation"
         fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
     }
@@ -28,16 +32,13 @@ filter {
         target => "@timestamp"
     }
     mutate {
-        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
+        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
     }
 }
 output {
     elasticsearch {
         hosts => ["elasticsearch:9200"]
-        index => "wazuh-alerts-%{+YYYY.MM.dd}"
+        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
         document_type => "wazuh"
-        template => "/etc/logstash/wazuh-elastic5-template.json"
-        template_name => "wazuh"
-        template_overwrite => true
     }
 }

logstash/config/wazuh-elastic5-template.json

@@ -1,620 +0,0 @@
-{
-  "order": 0,
-  "template": "wazuh*",
-  "settings": {
-    "index.refresh_interval": "5s"
-  },
-  "mappings": {
-    "wazuh": {
-      "dynamic_templates": [
-        {
-          "string_as_keyword": {
-            "match_mapping_type": "string",
-            "mapping": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        }
-      ],
-      "properties": {
-        "@timestamp": {
-          "type": "date",
-          "format": "dateOptionalTime"
-        },
-        "@version": {
-          "type": "text"
-        },
-        "agent": {
-          "properties": {
-            "ip": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "name": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        },
-        "manager": {
-          "properties": {
-            "name": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        },
-        "dstuser": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "AlertsFile": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "full_log": {
-          "type": "text"
-        },
-        "previous_log": {
-          "type": "text"
-        },
-        "GeoLocation": {
-          "properties": {
-            "area_code": {
-              "type": "long"
-            },
-            "city_name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "continent_code": {
-              "type": "text"
-            },
-            "coordinates": {
-              "type": "double"
-            },
-            "country_code2": {
-              "type": "text"
-            },
-            "country_code3": {
-              "type": "text"
-            },
-            "country_name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "dma_code": {
-              "type": "long"
-            },
-            "ip": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "latitude": {
-              "type": "double"
-            },
-            "location": {
-              "type": "geo_point"
-            },
-            "longitude": {
-              "type": "double"
-            },
-            "postal_code": {
-              "type": "keyword"
-            },
-            "real_region_name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "region_name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "timezone": {
-              "type": "text"
-            }
-          }
-        },
-        "host": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "syscheck": {
-          "properties": {
-            "path": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "sha1_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "sha1_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "uid_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "uid_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gid_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gid_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "perm_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "perm_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "md5_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "md5_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gname_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gname_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "inode_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "inode_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "mtime_after": {
-              "type": "date",
-              "format": "dateOptionalTime",
-              "doc_values": "true"
-            },
-            "mtime_before": {
-              "type": "date",
-              "format": "dateOptionalTime",
-              "doc_values": "true"
-            },
-            "uname_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "uname_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "size_before": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "size_after": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "diff": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "event": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        },
-        "location": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "message": {
-          "type": "text"
-        },
-        "offset": {
-          "type": "keyword"
-        },
-        "rule": {
-          "properties": {
-            "description": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "groups": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "level": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "cve": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "info": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "frequency": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "firedtimes": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "cis": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "pci_dss": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        },
-        "decoder": {
-          "properties": {
-            "parent": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "ftscomment": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "fts": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "accumulate": {
-              "type": "long",
-              "doc_values": "true"
-            }
-          }
-        },
-        "srcip": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "protocol": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "action": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "dstip": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "dstport": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "srcuser": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "program_name": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "id": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "status": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "command": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "url": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "data": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "system_name": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "type": {
-          "type": "text"
-        },
-        "title": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "oscap": {
-          "properties": {
-            "check.title": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "check.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "check.result": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "check.severity": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "check.description": {
-              "type": "text"
-            },
-            "check.rationale": {
-              "type": "text"
-            },
-            "check.references": {
-              "type": "text"
-            },
-            "check.identifiers": {
-              "type": "text"
-            },
-            "check.oval.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.content": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.benchmark.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.profile.title": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.profile.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.score": {
-              "type": "double",
-              "doc_values": "true"
-            },
-            "scan.return_code": {
-              "type": "long",
-              "doc_values": "true"
-            }
-          }
-        },
-        "audit": {
-          "properties": {
-            "type": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "syscall": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "exit": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "ppid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "pid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "auid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "uid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "euid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "suid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "fsuid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "egid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "sgid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "fsgid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "tty": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "session": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "command": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "exe": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "key": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "cwd": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "directory.name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "directory.inode": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "directory.mode": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "file.name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "file.inode": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "file.mode": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "acct": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "dev": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "enforcing": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "list": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "old-auid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "old-ses": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "old_enforcing": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "old_prom": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "op": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "prom": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "res": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "srcip": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "subj": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "success": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        }
-      }
-    },
-    "agent": {
-      "properties": {
-        "@timestamp": {
-          "type": "date",
-          "format": "dateOptionalTime"
-        },
-        "status": {
-          "type": "keyword"
-        },
-        "ip": {
-          "type": "keyword"
-        },
-        "host": {
-          "type": "keyword"
-        },
-        "name": {
-          "type": "keyword"
-        },
-        "id": {
-          "type": "keyword"
-        }
-      }
-    }
-  }
-}

nginx/Dockerfile

@@ -0,0 +1,7 @@
+FROM nginx:latest
+
+RUN apt-get update && apt-get install -y openssl apache2-utils
+
+COPY ./config/run.sh /run.sh
+
+RUN chmod 755 /run.sh

nginx/config/run.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -e
+
+if [ ! -d /etc/pki/tls/certs ]; then
+  echo "Generating SSL certificates"
+  mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
+  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/kibana-access.key -out /etc/pki/tls/certs/kibana-access.pem >/dev/null
+else
+  echo "SSL certificates already present"
+fi
+
+if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
+  echo "Setting Nginx credentials"
+  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
+else
+  echo "Kibana credentials already configured"
+fi
+
+echo "Configuring NGINX"
+cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://\$host:$NGINX_PORT\$request_uri;
+}
+
+server {
+    listen $NGINX_PORT default_server;
+    listen [::]:$NGINX_PORT;
+    ssl on;
+    ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
+    ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
+    location / {
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
+        proxy_pass http://kibana:5601/;
+    }
+}
+EOF
+
+echo "Starting Nginx"
+nginx -g 'daemon off; error_log /dev/stdout info;'

wazuh/Dockerfile

@@ -1,27 +1,26 @@
-FROM centos:latest
+FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=5.5.1
+ARG FILEBEAT_VERSION=6.1.3
-COPY config/*.repo /etc/yum.repos.d/
 
-RUN yum -y update; yum clean all;
+RUN apt-get update; apt-get -y dist-upgrade
-RUN yum -y install epel-release openssl useradd; yum clean all
+RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release
-RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all
 RUN groupadd -g 1000 ossec
 RUN useradd -u 1000 -g 1000 ossec
-RUN curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - &&\
+RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\
-    yum install -y nodejs
+    apt-get install -y nodejs
-RUN yum install -y wazuh-manager wazuh-api
+RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
-
+RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
+RUN apt-get update && apt-get -y install wazuh-manager wazuh-api expect
 
 ADD config/data_dirs.env /data_dirs.env
 ADD config/init.bash /init.bash
+
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 RUN chmod 755 /init.bash &&\
   sync && /init.bash &&\
   sync && rm /init.bash
 
-
+RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
-RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\
+    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm filebeat-${FILEBEAT_VERSION}-amd64.deb
-  rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm filebeat-${FILEBEAT_VERSION}-x86_64.rpm
 
 COPY config/filebeat.yml /etc/filebeat/
 

wazuh/config/run.sh

@@ -15,12 +15,31 @@ source /data_dirs.env
 FIRST_TIME_INSTALLATION=false
 DATA_PATH=/var/ossec/data
 
+print() {
+    echo -e $1
+}
+
+error_and_exit() {
+    echo "Error executing command: '$1'."
+    echo 'Exiting.'
+    exit 1
+}
+
+exec_cmd() {
+    eval $1 > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+
+edit_configuration() { # $1 -> setting,  $2 -> value
+    sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
+}
+
 for ossecdir in "${DATA_DIRS[@]}"; do
   if [ ! -e "${DATA_PATH}/${ossecdir}" ]
   then
-    echo "Installing ${ossecdir}"
+    print "Installing ${ossecdir}"
-    mkdir -p $(dirname ${DATA_PATH}/${ossecdir})
+    exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
-    cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}
+    exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
     FIRST_TIME_INSTALLATION=true
   fi
 done
@@ -30,29 +49,37 @@ chgrp ossec ${DATA_PATH}/process_list
 chmod g+rw ${DATA_PATH}/process_list
 
 AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
+API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
 
 if [ $FIRST_TIME_INSTALLATION == true ]
 then
-
   if [ $AUTO_ENROLLMENT_ENABLED == true ]
   then
     if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
     then
-      echo "Creating ossec-authd key and cert"
+      print "Creating ossec-authd key and cert"
-      openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
+      exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
-      openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\
+      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
-        -out ${DATA_PATH}/etc/sslmanager.cert -days 3650\
+    fi
-        -subj /CN=${HOSTNAME}/
+  fi
+  if [ $API_GENERATE_CERTS == true ]
+  then
+    if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
+    then
+      print "Enabling Wazuh API HTTPS"
+      edit_configuration "https" "yes"
+      print "Create Wazuh API key and cert"
+      exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
+      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
     fi
   fi
 fi
 
+#Enabling ossec-authd.
+exec_cmd "/var/ossec/bin/ossec-control enable auth"
+
 function ossec_shutdown(){
-  /var/ossec/bin/ossec-control stop;
+  ${DATA_PATH}/bin/ossec-control stop;
-  if [ $AUTO_ENROLLMENT_ENABLED == true ]
-  then
-     kill $AUTHD_PID
-  fi
 }
 
 # Trap exit signals and do a proper shutdown
@@ -60,20 +87,9 @@ trap "ossec_shutdown; exit" SIGINT SIGTERM
 
 chmod -R g+rw ${DATA_PATH}
 
-if [ $AUTO_ENROLLMENT_ENABLED == true ]
+service postfix start
-then
+service wazuh-api start
-  echo "Starting ossec-authd..."
+service wazuh-manager start
-  /var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
+service filebeat start
-  AUTHD_PID=$!
-fi
-sleep 15 # give ossec a reasonable amount of time to start before checking status
-LAST_OK_DATE=`date +%s`
-
-## Start services
-/usr/sbin/postfix start
-/bin/node /var/ossec/api/app.js &
-/usr/bin/filebeat.sh &
-/var/ossec/bin/ossec-control restart
-
 
 tail -f /var/ossec/logs/ossec.log

wazuh/config/wazuh.repo

@@ -1,7 +0,0 @@
-[wazuh_repo]
-gpgcheck=1
-gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
-enabled=1
-name=CENTOS-$releasever - Wazuh
-baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
-protect=1