Merge pull request #22 from wazuh/revert-21-dev

Revert "Adding Nginx container"
2025-11-01 12:33:44 +00:00 · 2017-10-01 12:58:14 -04:00 · 2017-10-01 12:57:27 -04:00 · 2017-10-01 12:48:35 -04:00 · 2017-09-24 14:02:32 -04:00
24 changed files with 867 additions and 471 deletions
--- a/README.md
+++ b/README.md
@@ -1,10 +1,5 @@
 # Wazuh containers for Docker

-[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
-[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
-[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
-[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
-
 In this repository you will find the containers to run:

 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
@@ -15,7 +10,7 @@ In addition, a docker-compose file is provided to launch the containers mentione

 ## Current release

-Containers are currently tested on Wazuh version 3.6.1 and Elastic Stack version 6.4.1. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 2.0 and Elastic Stack version 5.5.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.

 ## Installation notes

@@ -25,34 +20,7 @@ To run all docker instances you can just run ``docker-compose up``, from the dir
 * Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out.
 * It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).

-Once installed you can browse through the interface at: https://127.0.0.1
-
-## Mount custom Wazuh configuration files
-
-To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the `/wazuh-config-mount` folder. For example, to mount a custom `ossec.conf` file, mount it in `/wazuh-config-mount/etc/ossec.conf` and the [run.sh](wazuh/config/run.sh) script will copy the file at the right place on boot while respecting the destination file permissions.
-
-Here is an example of a `/wazuh-config-mount` folder used to mount some common custom configuration files:
-```
-root@wazuh-manager:/# tree /wazuh-config-mount/
-/wazuh-config-mount/
-└── etc
-    ├── ossec.conf
-    ├── rules
-    │   └── local_rules.xml
-    └── shared
-        └── default
-            └── agent.conf
-
-4 directories, 3 files
-```
-
-In that case, you will see this in the Wazuh manager logs on boot:
-```
-Identified Wazuh configuration files to mount...
-'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf'
-'/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml'
-'/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf'
-```
+Once installed you can browse through the interface at: http://127.0.0.1:5601

 ## More documentation

@@ -69,10 +37,6 @@ These Docker containers are based on:

 We thank you them and everyone else who has contributed to this project.

-## License and copyright
-
-Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
 ## Wazuh official website

 [Wazuh website](http://wazuh.com)
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,9 +1,8 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 version: '2'

 services:
  wazuh:
-    image: wazuh/wazuh:3.6.1_6.4.1
+    image: wazuh/wazuh
    hostname: wazuh-manager
    restart: always
    ports:
@@ -11,86 +10,61 @@ services:
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
-#      - "1516:1516"
    networks:
        - docker_elk
 #    volumes:
-#      - my-path:/var/ossec/data:Z
-#      - my-path:/etc/postfix:Z
-#      - my-path:/etc/filebeat
-#      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
+#      - my-path:/var/ossec/data
+#      - my-path:/etc/postfix
    depends_on:
-      - logstash
+      - elasticsearch
  logstash:
-    image: wazuh/wazuh-logstash:3.6.1_6.4.1
+    image: wazuh/wazuh-logstash
    hostname: logstash
    restart: always
+    command: -f /etc/logstash/conf.d/
 #    volumes:
-#      - my-path:/etc/logstash/conf.d:Z
+#      - my-path:/etc/logstash/conf.d
    links:
-      - elasticsearch:elasticsearch
+     - kibana
+     - elasticsearch:elasticsearch
    ports:
      - "5000:5000"
    networks:
-      - docker_elk
+        - docker_elk
    depends_on:
      - elasticsearch
    environment:
      - LS_HEAP_SIZE=2048m
  elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:6.4.1
+    image: elasticsearch:5.5.2
    hostname: elasticsearch
    restart: always
+    command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0
    ports:
      - "9200:9200"
-#      - "9300:9300"
+      - "9300:9300"
    environment:
-      - node.name=node-1
-      - cluster.name=wazuh
-      - network.host=0.0.0.0
-      - bootstrap.memory_lock=true
-      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-    mem_limit: 2g
+      ES_JAVA_OPTS: "-Xms2g -Xmx2g"
 #    volumes:
-#      - my-path:/usr/share/elasticsearch/data:Z
+#      - my-path:/usr/share/elasticsearch/data
    networks:
        - docker_elk
  kibana:
-    image: wazuh/wazuh-kibana:3.6.1_6.4.1
+    image: wazuh/wazuh-kibana
    hostname: kibana
    restart: always
-#    ports:
-#      - "5601:5601"
-#    environment:
-#      - ELASTICSEARCH_URL=http://elasticsearch:9200
+    ports:
+      - "5601:5601"
    networks:
-      - docker_elk
+        - docker_elk
    depends_on:
      - elasticsearch
    links:
      - elasticsearch:elasticsearch
-      - wazuh:wazuh
-  nginx:
-    image: wazuh/wazuh-nginx:3.6.1_6.4.1
-    hostname: nginx
-    restart: always
-    environment:
-      - NGINX_PORT=443
-    ports:
-      - "80:80"
-      - "443:443"
-#    volumes:
-#      - my-path:/etc/nginx/conf.d:Z
-    networks:
-      - docker_elk
-    depends_on:
-      - kibana
-    links:
-      - kibana:kibana
+      - wazuh
+    entrypoint: sh wait-for-it.sh elasticsearch
+#    environment:
+#      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.1.0-5.5.1.zip"

 networks:
  docker_elk:
--- a/images/image-1.png
+++ b/images/image-1.png
--- a/images/image-2.png
+++ b/images/image-2.png
--- a/kibana/Dockerfile
+++ b/kibana/Dockerfile
@@ -1,19 +1,7 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:6.4.1
-ARG WAZUH_APP_VERSION=3.6.1_6.4.1
-USER root
+FROM kibana:5.5.2

-ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+RUN apt-get update && apt-get install -y curl

-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
+COPY ./config/kibana.yml /opt/kibana/config/kibana.yml

-RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana:kibana /usr/share/kibana &&\
-    rm -rf /tmp/*
-
-COPY config/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
-
-USER kibana
-
-ENTRYPOINT /entrypoint.sh
+COPY config/wait-for-it.sh /
--- a/kibana/config/entrypoint.sh
+++ b/kibana/config/entrypoint.sh
@@ -1,56 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-set -e
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-until curl -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "Elastic is up - executing command"
-
-#Insert default templates
-cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
-sleep 5
-
-echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "foo",
-    "api_password": "YmFy",
-    "url": "https://wazuh",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "Wazuh APP already configured"
-fi
-
-sleep 5
-
-/usr/local/bin/kibana-docker
--- a/kibana/config/wait-for-it.sh
+++ b/kibana/config/wait-for-it.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+set -e
+
+host="$1"
+shift
+cmd="kibana"
+WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.0_5.5.2.zip}
+
+until curl -XGET $host:9200; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 1
+done
+
+sleep 30
+
+>&2 echo "Elastic is up - executing command"
+
+if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then
+  echo "Wazuh APP already installed"
+else
+  /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
+fi
+
+sleep 30
+
+echo "Configuring defaultIndex to wazuh-alerts-*"
+
+curl -s -XPUT http://$host:9200/.kibana/config/5.5.2 -d '{"defaultIndex" : "wazuh-alerts-*"}' > /dev/null
+
+sleep 30
+
+echo "Setting API credentials into Wazuh APP"
+
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/apiconfig)
+if [ "x$CONFIG_CODE" = "x404" ]; then
+  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/apiconfig -H 'Content-Type: application/json' -d'
+  {
+    "api_user": "foo",
+    "api_password": "YmFy",
+    "url": "http://wazuh",
+    "api_port": "55000",
+    "insecure": "true",
+    "component": "API",
+    "active": "true",
+    "manager": "wazuh-manager",
+    "extensions": {
+      "oscap": true,
+      "audit": true,
+      "pci": true
+    }
+  }
+  ' > /dev/null
+else
+  echo "Wazuh APP already configured"
+fi
+
+exec $cmd
--- a/logstash/Dockerfile
+++ b/logstash/Dockerfile
@@ -1,6 +1,12 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash:6.4.1
+FROM logstash:5.5.2

-RUN rm -f /usr/share/logstash/pipeline/logstash.conf
+RUN apt-get update

-COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
+COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
+COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
+
+
+ADD config/run.sh /tmp/run.sh
+RUN chmod 755 /tmp/run.sh
+
+ENTRYPOINT ["/tmp/run.sh"]
--- a/logstash/config/01-wazuh.conf
+++ b/logstash/config/01-wazuh.conf
@@ -1,45 +0,0 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-# Wazuh - Logstash configuration file
-## Remote Wazuh Manager - Filebeat input
-input {
-    beats {
-        port => 5000
-        codec => "json_lines"
-#       ssl => true
-#       ssl_certificate => "/etc/logstash/logstash.crt"
-#       ssl_key => "/etc/logstash/logstash.key"
-    }
-}
-filter {
-    if [data][srcip] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][srcip]}" ]
-        }
-    }
-    if [data][aws][sourceIPAddress] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
-        }
-    }
-}
-filter {
-    geoip {
-        source => "@src_ip"
-        target => "GeoLocation"
-        fields => ["city_name", "country_name", "region_name", "location"]
-    }
-    date {
-        match => ["timestamp", "ISO8601"]
-        target => "@timestamp"
-    }
-    mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
-    }
-}
-output {
-    elasticsearch {
-        hosts => ["elasticsearch:9200"]
-        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
-        document_type => "wazuh"
-    }
-}
--- a/logstash/config/logstash.conf
+++ b/logstash/config/logstash.conf
@@ -0,0 +1,43 @@
+# Wazuh - Logstash configuration file
+## Remote Wazuh Manager - Filebeat input
+input {
+    beats {
+        port => 5000
+        codec => "json_lines"
+#        ssl => true
+#        ssl_certificate => "/etc/logstash/logstash.crt"
+#        ssl_key => "/etc/logstash/logstash.key"
+    }
+}
+## Local Wazuh Manager - JSON file input
+#input {
+#   file {
+#       type => "wazuh-alerts"
+#       path => "/var/ossec/logs/alerts/alerts.json"
+#       codec => "json"
+#   }
+#}
+filter {
+    geoip {
+        source => "srcip"
+        target => "GeoLocation"
+        fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
+    }
+    date {
+        match => ["timestamp", "ISO8601"]
+        target => "@timestamp"
+    }
+    mutate {
+        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
+    }
+}
+output {
+    elasticsearch {
+        hosts => ["elasticsearch:9200"]
+        index => "wazuh-alerts-%{+YYYY.MM.dd}"
+        document_type => "wazuh"
+        template => "/etc/logstash/wazuh-elastic5-template.json"
+        template_name => "wazuh"
+        template_overwrite => true
+    }
+}
--- a/logstash/config/run.sh
+++ b/logstash/config/run.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
 #
 # OSSEC container bootstrap. See the README for information of the environment
 # variables expected by this script.
--- a/logstash/config/wazuh-elastic5-template.json
+++ b/logstash/config/wazuh-elastic5-template.json
@@ -0,0 +1,620 @@
+{
+  "order": 0,
+  "template": "wazuh*",
+  "settings": {
+    "index.refresh_interval": "5s"
+  },
+  "mappings": {
+    "wazuh": {
+      "dynamic_templates": [
+        {
+          "string_as_keyword": {
+            "match_mapping_type": "string",
+            "mapping": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        }
+      ],
+      "properties": {
+        "@timestamp": {
+          "type": "date",
+          "format": "dateOptionalTime"
+        },
+        "@version": {
+          "type": "text"
+        },
+        "agent": {
+          "properties": {
+            "ip": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "name": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "manager": {
+          "properties": {
+            "name": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "dstuser": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "AlertsFile": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "full_log": {
+          "type": "text"
+        },
+        "previous_log": {
+          "type": "text"
+        },
+        "GeoLocation": {
+          "properties": {
+            "area_code": {
+              "type": "long"
+            },
+            "city_name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "continent_code": {
+              "type": "text"
+            },
+            "coordinates": {
+              "type": "double"
+            },
+            "country_code2": {
+              "type": "text"
+            },
+            "country_code3": {
+              "type": "text"
+            },
+            "country_name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "dma_code": {
+              "type": "long"
+            },
+            "ip": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "latitude": {
+              "type": "double"
+            },
+            "location": {
+              "type": "geo_point"
+            },
+            "longitude": {
+              "type": "double"
+            },
+            "postal_code": {
+              "type": "keyword"
+            },
+            "real_region_name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "region_name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "timezone": {
+              "type": "text"
+            }
+          }
+        },
+        "host": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "syscheck": {
+          "properties": {
+            "path": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "sha1_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "sha1_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uid_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uid_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gid_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gid_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "perm_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "perm_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "md5_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "md5_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gname_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gname_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "inode_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "inode_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "mtime_after": {
+              "type": "date",
+              "format": "dateOptionalTime",
+              "doc_values": "true"
+            },
+            "mtime_before": {
+              "type": "date",
+              "format": "dateOptionalTime",
+              "doc_values": "true"
+            },
+            "uname_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uname_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "size_before": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "size_after": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "diff": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "event": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "location": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "message": {
+          "type": "text"
+        },
+        "offset": {
+          "type": "keyword"
+        },
+        "rule": {
+          "properties": {
+            "description": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "groups": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "level": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "cve": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "info": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "frequency": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "firedtimes": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "cis": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "pci_dss": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "decoder": {
+          "properties": {
+            "parent": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "ftscomment": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "fts": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "accumulate": {
+              "type": "long",
+              "doc_values": "true"
+            }
+          }
+        },
+        "srcip": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "protocol": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "action": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "dstip": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "dstport": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "srcuser": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "program_name": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "id": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "status": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "command": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "url": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "data": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "system_name": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "type": {
+          "type": "text"
+        },
+        "title": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "oscap": {
+          "properties": {
+            "check.title": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "check.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "check.result": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "check.severity": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "check.description": {
+              "type": "text"
+            },
+            "check.rationale": {
+              "type": "text"
+            },
+            "check.references": {
+              "type": "text"
+            },
+            "check.identifiers": {
+              "type": "text"
+            },
+            "check.oval.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.content": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.benchmark.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.profile.title": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.profile.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.score": {
+              "type": "double",
+              "doc_values": "true"
+            },
+            "scan.return_code": {
+              "type": "long",
+              "doc_values": "true"
+            }
+          }
+        },
+        "audit": {
+          "properties": {
+            "type": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "syscall": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "exit": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "ppid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "pid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "auid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "euid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "suid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "fsuid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "egid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "sgid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "fsgid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "tty": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "session": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "command": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "exe": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "key": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "cwd": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.inode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.mode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.inode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.mode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "acct": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "dev": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "enforcing": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "list": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old-auid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old-ses": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old_enforcing": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old_prom": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "op": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "prom": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "res": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "srcip": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "subj": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "success": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        }
+      }
+    },
+    "agent": {
+      "properties": {
+        "@timestamp": {
+          "type": "date",
+          "format": "dateOptionalTime"
+        },
+        "status": {
+          "type": "keyword"
+        },
+        "ip": {
+          "type": "keyword"
+        },
+        "host": {
+          "type": "keyword"
+        },
+        "name": {
+          "type": "keyword"
+        },
+        "id": {
+          "type": "keyword"
+        }
+      }
+    }
+  }
+}
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -1,16 +0,0 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM nginx:latest
-
-ENV DEBIAN_FRONTEND noninteractive
-
-RUN apt-get update && apt-get install -y openssl apache2-utils
-
-COPY config/entrypoint.sh /entrypoint.sh
-
-RUN chmod 755 /entrypoint.sh
-
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-VOLUME ["/etc/nginx/conf.d"]
-
-ENTRYPOINT /entrypoint.sh
--- a/nginx/config/entrypoint.sh
+++ b/nginx/config/entrypoint.sh
@@ -1,54 +0,0 @@
-#!/bin/sh
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-set -e
-
-# Generating certificates.
-if [ ! -d /etc/nginx/conf.d/ssl ]; then
-  echo "Generating SSL certificates"
-  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
-  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
-else
-  echo "SSL certificates already present"
-fi
-
-# Configuring default credentiales.
-if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
-  echo "Setting Nginx credentials"
-  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
-else
-  echo "Kibana credentials already configured"
-fi
-
-
-if [ "x${NGINX_PORT}" = "x" ]; then
-  NGINX_PORT=443
-fi
-
-if [ "x${KIBANA_HOST}" = "x" ]; then
-  KIBANA_HOST="kibana:5601"
-fi
-
-echo "Configuring NGINX"
-cat > /etc/nginx/conf.d/default.conf <<EOF
-server {
-    listen 80;
-    listen [::]:80;
-    return 301 https://\$host:${NGINX_PORT}\$request_uri;
-}
-
-server {
-    listen ${NGINX_PORT} default_server;
-    listen [::]:${NGINX_PORT};
-    ssl on;
-    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
-    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
-    location / {
-        auth_basic "Restricted";
-        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
-        proxy_pass http://${KIBANA_HOST}/;
-    }
-}
-EOF
-
-nginx -g 'daemon off;'
--- a/wazuh/Dockerfile
+++ b/wazuh/Dockerfile
@@ -1,77 +1,37 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.4.1
-ARG WAZUH_VERSION=3.6.1-1
+FROM centos:latest
+ARG FILEBEAT_VERSION=5.5.2
+COPY config/*.repo /etc/yum.repos.d/

-# Updating image
-RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
-
-# Set Wazuh repository.
-RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
-RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
-
-# Set nodejs repository.
-RUN curl --silent --location https://deb.nodesource.com/setup_8.x | bash -
-
-# Creating ossec user as uid:gid 1000:1000
+RUN yum -y update; yum clean all;
+RUN yum -y install epel-release openssl useradd; yum clean all
+RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all
 RUN groupadd -g 1000 ossec
 RUN useradd -u 1000 -g 1000 ossec
+RUN curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - &&\
+    yum install -y nodejs
+RUN yum install -y wazuh-manager wazuh-api

-# Configure postfix
-RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections
-RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections

-# Install packages
-RUN apt-get update && apt-get -y install openssl postfix bsd-mailx python-boto python-pip  \
-    apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \
-    wazuh-api=${WAZUH_VERSION}
-
-# Adding first run script.
 ADD config/data_dirs.env /data_dirs.env
 ADD config/init.bash /init.bash
-
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 RUN chmod 755 /init.bash &&\
-    sync && /init.bash &&\
-    sync && rm /init.bash
+  sync && /init.bash &&\
+  sync && rm /init.bash
+
+
+RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\
+  rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm filebeat-${FILEBEAT_VERSION}-x86_64.rpm

-# Installing and configuring fiebeat
-RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
-    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
 COPY config/filebeat.yml /etc/filebeat/
-RUN chmod go-w /etc/filebeat/filebeat.yml

-# Adding entrypoint
-ADD config/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
+ADD config/run.sh /tmp/run.sh
+RUN chmod 755 /tmp/run.sh

-# Setting volumes
 VOLUME ["/var/ossec/data"]
-VOLUME ["/etc/filebeat"]
-VOLUME ["/etc/postfix"]

-# Services ports
-EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
+EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp

-# Clean up
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+# Run supervisord so that the container will stay alive

-# Adding services
-RUN mkdir /etc/service/wazuh
-COPY config/wazuh.runit.service /etc/service/wazuh/run
-RUN chmod +x /etc/service/wazuh/run
-
-RUN mkdir /etc/service/wazuh-api
-COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
-RUN chmod +x /etc/service/wazuh-api/run
-
-RUN mkdir /etc/service/postfix
-COPY config/postfix.runit.service /etc/service/postfix/run
-RUN chmod +x /etc/service/postfix/run
-
-RUN mkdir /etc/service/filebeat
-COPY config/filebeat.runit.service /etc/service/filebeat/run
-RUN chmod +x /etc/service/filebeat/run
-
-# Run all services
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/tmp/run.sh"]
--- a/wazuh/config/entrypoint.sh
+++ b/wazuh/config/entrypoint.sh
@@ -1,116 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-#
-
-#
-# Startup the services
-#
-
-source /data_dirs.env
-
-FIRST_TIME_INSTALLATION=false
-
-WAZUH_INSTALL_PATH=/var/ossec
-DATA_PATH=${WAZUH_INSTALL_PATH}/data
-
-WAZUH_CONFIG_MOUNT=/wazuh-config-mount
-
-print() {
-    echo -e $1
-}
-
-error_and_exit() {
-    echo "Error executing command: '$1'."
-    echo 'Exiting.'
-    exit 1
-}
-
-exec_cmd() {
-    eval $1 > /dev/null 2>&1 || error_and_exit "$1"
-}
-
-exec_cmd_stdout() {
-    eval $1 2>&1 || error_and_exit "$1"
-}
-
-edit_configuration() { # $1 -> setting,  $2 -> value
-    sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
-}
-
-for ossecdir in "${DATA_DIRS[@]}"; do
-  if [ ! -e "${DATA_PATH}/${ossecdir}" ]
-  then
-    print "Installing ${ossecdir}"
-    exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
-    exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
-    FIRST_TIME_INSTALLATION=true
-  fi
-done
-
-touch ${DATA_PATH}/process_list
-chgrp ossec ${DATA_PATH}/process_list
-chmod g+rw ${DATA_PATH}/process_list
-
-AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
-API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
-
-if [ $FIRST_TIME_INSTALLATION == true ]
-then
-  if [ $AUTO_ENROLLMENT_ENABLED == true ]
-  then
-    if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
-    then
-      print "Creating ossec-authd key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
-    fi
-  fi
-  if [ $API_GENERATE_CERTS == true ]
-  then
-    if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
-    then
-      print "Enabling Wazuh API HTTPS"
-      edit_configuration "https" "yes"
-      print "Create Wazuh API key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
-    fi
-  fi
-fi
-
-##############################################################################
-# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
-# destination files permissions
-#
-# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
-# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
-# replace the ossec.conf file in /var/ossec/data/etc with yours.
-##############################################################################
-if [ -e "$WAZUH_CONFIG_MOUNT" ]
-then
-  print "Identified Wazuh configuration files to mount..."
-
-  exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
-else
-  print "No Wazuh configuration files to mount..."
-fi
-
-# Enabling ossec-authd.
-exec_cmd "/var/ossec/bin/ossec-control enable auth"
-
-function ossec_shutdown(){
-  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
-}
-
-# Trap exit signals and do a proper shutdown
-trap "ossec_shutdown; exit" SIGINT SIGTERM
-
-chmod -R g+rw ${DATA_PATH}
-
-/sbin/my_init 
--- a/wazuh/config/filebeat.runit.service
+++ b/wazuh/config/filebeat.runit.service
@@ -1,3 +0,0 @@
-#!/bin/sh
-service filebeat start
-tail -f /var/log/filebeat/filebeat
--- a/wazuh/config/filebeat.yml
+++ b/wazuh/config/filebeat.yml
@@ -1,4 +1,3 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 filebeat:
 prospectors:
  - input_type: log
--- a/wazuh/config/init.bash
+++ b/wazuh/config/init.bash
@@ -1,5 +1,4 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)

 #
 # Initialize the custom data directory layout
--- a/wazuh/config/postfix.runit.service
+++ b/wazuh/config/postfix.runit.service
@@ -1,3 +0,0 @@
-#!/bin/sh
-service postfix start
-tail -f /var/log/mail.log
--- a/wazuh/config/run.sh
+++ b/wazuh/config/run.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+#
+# OSSEC container bootstrap. See the README for information of the environment
+# variables expected by this script.
+#
+
+#
+
+#
+# Startup the services
+#
+
+source /data_dirs.env
+FIRST_TIME_INSTALLATION=false
+DATA_PATH=/var/ossec/data
+
+for ossecdir in "${DATA_DIRS[@]}"; do
+  if [ ! -e "${DATA_PATH}/${ossecdir}" ]
+  then
+    echo "Installing ${ossecdir}"
+    mkdir -p $(dirname ${DATA_PATH}/${ossecdir})
+    cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}
+    FIRST_TIME_INSTALLATION=true
+  fi
+done
+
+touch ${DATA_PATH}/process_list
+chgrp ossec ${DATA_PATH}/process_list
+chmod g+rw ${DATA_PATH}/process_list
+
+AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
+
+if [ $FIRST_TIME_INSTALLATION == true ]
+then
+
+  if [ $AUTO_ENROLLMENT_ENABLED == true ]
+  then
+    if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
+    then
+      echo "Creating ossec-authd key and cert"
+      openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
+      openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\
+        -out ${DATA_PATH}/etc/sslmanager.cert -days 3650\
+        -subj /CN=${HOSTNAME}/
+    fi
+  fi
+fi
+
+function ossec_shutdown(){
+  /var/ossec/bin/ossec-control stop;
+  if [ $AUTO_ENROLLMENT_ENABLED == true ]
+  then
+     kill $AUTHD_PID
+  fi
+}
+
+# Trap exit signals and do a proper shutdown
+trap "ossec_shutdown; exit" SIGINT SIGTERM
+
+chmod -R g+rw ${DATA_PATH}
+
+if [ $AUTO_ENROLLMENT_ENABLED == true ]
+then
+  echo "Starting ossec-authd..."
+  /var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
+  AUTHD_PID=$!
+fi
+sleep 15 # give ossec a reasonable amount of time to start before checking status
+LAST_OK_DATE=`date +%s`
+
+## Start services
+/usr/sbin/postfix start
+/bin/node /var/ossec/api/app.js &
+/usr/bin/filebeat.sh &
+/var/ossec/bin/ossec-control restart
+
+
+tail -f /var/ossec/logs/ossec.log
--- a/wazuh/config/wazuh-api.runit.service
+++ b/wazuh/config/wazuh-api.runit.service
@@ -1,4 +0,0 @@
-#!/bin/sh
-service wazuh-api start
-tail -f /var/ossec/data/logs/api.log
-
--- a/wazuh/config/wazuh.repo
+++ b/wazuh/config/wazuh.repo
@@ -0,0 +1,7 @@
+[wazuh_repo]
+gpgcheck=1
+gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+enabled=1
+name=CENTOS-$releasever - Wazuh
+baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
+protect=1
--- a/wazuh/config/wazuh.runit.service
+++ b/wazuh/config/wazuh.runit.service
@@ -1,4 +0,0 @@
-#!/bin/sh
-service wazuh-manager start
-tail -f /var/ossec/data/logs/ossec.log
-
Author	SHA1	Message	Date
José Luis Ruiz	9f192202fd	Merge pull request #22 from wazuh/revert-21-dev Revert "Adding Nginx container"	2017-10-01 12:58:14 -04:00
José Luis Ruiz	d8cd0ba7d0	Revert "Adding Nginx container"	2017-10-01 12:57:27 -04:00
José Luis Ruiz	349213bac5	Merge pull request #21 from wazuh/dev Adding Nginx container	2017-10-01 12:48:35 -04:00
José Luis Ruiz	8547b3b45a	Merge pull request #18 from wazuh/dev Configure Wazuh API	2017-09-24 14:02:32 -04:00