paulmataruso/wazuh-docker-orginal
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-29 02:53:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: paulmataruso:4.0
Branches Tags
paulmataruso:main paulmataruso:2693-delete-config-files paulmataruso:4.14.1 paulmataruso:test_adapt_arm paulmataruso:4.10.4 paulmataruso:4.13.0-rc4-tag paulmataruso:2577-test-bucket paulmataruso:6.0.0 paulmataruso:change/1824-rootless-podman-with-selinux paulmataruso:test-arm-build paulmataruso:enhancement/1624-docker-compose-v2 paulmataruso:4.9.0 paulmataruso:461-centralize-conf-files paulmataruso:4.5 paulmataruso:4.4 paulmataruso:4.4.4 paulmataruso:4.3 paulmataruso:816-persistent-files-that-should-not-be-kept paulmataruso:817-automatic-release-of-docker-images paulmataruso:4.3.11 paulmataruso:3.13 paulmataruso:4.2 paulmataruso:4.1 paulmataruso:4.0 paulmataruso:4.0.4 paulmataruso:devel paulmataruso:3.11.2_7.5.1-oss paulmataruso:3.10.2_7.5.0 paulmataruso:3.10.0_7.3.2 paulmataruso:3.10.2_7.3.2 paulmataruso:3.10-wazuh-refactor paulmataruso:3.9.5_7.2.1 paulmataruso:3.9.4_7.2.0 paulmataruso:3.9.5_7.3.0-oss paulmataruso:3.10_7.3.0 paulmataruso:3.9.4_7.1.1-opendistro-security paulmataruso:3.9.3_6.8.1 paulmataruso:3.9.1_6.8.0 paulmataruso:3.9.2_6.8.0 paulmataruso:3.9.4_6.8.2 paulmataruso:3.9.3_7.1.1-opendistro paulmataruso:3.9.3_7.1.1-opendistro-security paulmataruso:3.9.3_7.2.0_oss paulmataruso:3.9.3_7.2.0 paulmataruso:3.9.2_7.1.1 paulmataruso:3.9.0_6.7.2 paulmataruso:3.9.0_6.7.1 paulmataruso:3.8.2_6.5.4-oss paulmataruso:3.9.1_7.1.0 paulmataruso:3.8.2_6.5.4 paulmataruso:3.10.0_7.0.0 paulmataruso:3.8.2_6.7.0 paulmataruso:3.8.2_6.6.2 paulmataruso:3.8.2_6.6.1 paulmataruso:6.8.2_6.6.1 paulmataruso:3.8.1_6.5.4 paulmataruso:3.8.0_6.5.4 paulmataruso:3.7.2_6.5.4 paulmataruso:3.7.2_6.5.3 paulmataruso:3.7.1_6.5.3 paulmataruso:3.7.0_6.5.0 paulmataruso:3.7.0_6.4.3 paulmataruso:3.6.1_6.4.2 paulmataruso:3.6.1_6.4.1 paulmataruso:3.6.1_6.4.0 paulmataruso:3.6.0_6.4.0 paulmataruso:3.5.0_6.3.2 paulmataruso:3.4.0_6.3.2 paulmataruso:3.4.0_6.3.1 paulmataruso:3.3.1_6.3.1 paulmataruso:3.3.1_6.3.0 paulmataruso:3.3.1_6.2.4 paulmataruso:3.3.0_6.2.4 paulmataruso:3.2.4_6.2.4 paulmataruso:3.2.3_6.2.4 paulmataruso:3.2.2_6.2.4 paulmataruso:3.2.1_6.2.4 paulmataruso:3.2.1_6.2.3 paulmataruso:3.2.1_6.2.2 paulmataruso:3.2.0_6.2.1 paulmataruso:3.1.0_6.1.3 paulmataruso:3.1.0_6.1.2 paulmataruso:3.1.0_6.1.1 paulmataruso:3.1.0_6.1.0 paulmataruso:2.1.1_5.6.4 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:2.0
paulmataruso:v4.14.0 paulmataruso:v4.13.1 paulmataruso:v4.13.0 paulmataruso:v4.10.3 paulmataruso:v4.10.2 paulmataruso:v4.12.0 paulmataruso:v4.11.2 paulmataruso:v4.11.1 paulmataruso:v4.11.0 paulmataruso:v4.10.1 paulmataruso:v4.10.0 paulmataruso:v4.9.2 paulmataruso:v4.9.1 paulmataruso:v4.9.0 paulmataruso:v4.8.2 paulmataruso:v4.8.1 paulmataruso:v4.8.0 paulmataruso:v4.7.5 paulmataruso:v4.7.4 paulmataruso:cloud-2.0.6 paulmataruso:cloud-2.0.7 paulmataruso:v4.7.3 paulmataruso:cloud-2.0.3 paulmataruso:cloud-2.0.2 paulmataruso:cloud-2.0.4 paulmataruso:v4.7.2 paulmataruso:v4.7.1 paulmataruso:cloud-v1.22.0 paulmataruso:v4.7.0 paulmataruso:cloud-v1.20.0 paulmataruso:cloud-v1.20.1 paulmataruso:cloud-v1.21.0 paulmataruso:v4.6.0 paulmataruso:v4.5.4 paulmataruso:v4.5.3 paulmataruso:v4.6.0-beta1 paulmataruso:v4.5.3-rc1 paulmataruso:v4.5.2 paulmataruso:v4.6.0-alpha1 paulmataruso:v4.5.1 paulmataruso:v4.5.1-rc2 paulmataruso:v4.5.1-rc1 paulmataruso:v4.5.0 paulmataruso:cloud-v1.18.5 paulmataruso:cloud-v1.18.4 paulmataruso:svc-envs-v1.18.3 paulmataruso:v4.4.5 paulmataruso:v4.6.0-pre-alpha1 paulmataruso:cloud-v1.18.1 paulmataruso:v4.4.4 paulmataruso:v4.4.3 paulmataruso:v4.4.2 paulmataruso:v4.3.11 paulmataruso:v4.4.1 paulmataruso:v4.4.0 paulmataruso:cloud-v1.17.4 paulmataruso:cloud-1.18.0 paulmataruso:v4.3.10 paulmataruso:v4.3.9 paulmataruso:cloud-v1.16.12 paulmataruso:v3.13.6_7.9.2 paulmataruso:v4.3.8 paulmataruso:v4.3.7 paulmataruso:v3.13.5 paulmataruso:cloud-v1.16.11 paulmataruso:svc-envs-v1.16.10 paulmataruso:cloud-v1.16.8 paulmataruso:v4.3.6 paulmataruso:v4.3.5 paulmataruso:cloud-v1.16.7 paulmataruso:test paulmataruso:cloud-v1.16.6 paulmataruso:v4.3.4 paulmataruso:v4.3.3 paulmataruso:cloud-v1.16.5 paulmataruso:v4.3.2 paulmataruso:v3.13.4_7.9.2 paulmataruso:v4.2.7 paulmataruso:cloud-v1.16.0 paulmataruso:v4.3.1 paulmataruso:v4.3.0 paulmataruso:v4.2.6 paulmataruso:cloud-v1.15.0 paulmataruso:v4.2.5 paulmataruso:v4.2.4 paulmataruso:v4.2.3 paulmataruso:v4.2.2 paulmataruso:v4.2.1 paulmataruso:v4.2.0 paulmataruso:v4.1.5 paulmataruso:v3.13.3_7.9.2 paulmataruso:v4.1.2 paulmataruso:v4.1.1 paulmataruso:v4.1.0 paulmataruso:v4.0.4_1.11.0 paulmataruso:cloud-v0.60.3 paulmataruso:v4.0.3_1.11.0 paulmataruso:v4.0.2_1.11.0 paulmataruso:cloud-v0.60.0 paulmataruso:v4.0.1_1.11.0 paulmataruso:v4.0.0_1.10.1 paulmataruso:v3.13.2_7.9.1 paulmataruso:v3.13.1_7.8.0 paulmataruso:cloud-v0.32.0 paulmataruso:cloud-v0.30.0 paulmataruso:v3.13.0_7.7.1 paulmataruso:cloud-v0.22.0 paulmataruso:v3.12.3_7.6.2 paulmataruso:cloud-v0.21.2 paulmataruso:cloud-v0.21.1 paulmataruso:v3.12.2_7.6.2 paulmataruso:v3.12.1_7.6.2 paulmataruso:cloud-v0.21.0 paulmataruso:v3.12.0_7.6.1 paulmataruso:cloud-v0.20.0 paulmataruso:v3.11.4_7.6.1 paulmataruso:v3.11.3_7.5.2 paulmataruso:v3.11.2_7.5.1 paulmataruso:cloud-v0.11.0 paulmataruso:v3.11.1_7.5.1 paulmataruso:v3.11.0_7.5.1 paulmataruso:cloud-v0.9.0 paulmataruso:v3.10.2_7.5.0 paulmataruso:v0.9.0-rc1 paulmataruso:v3.10.0_7.3.2 paulmataruso:v3.10.2_7.3.2 paulmataruso:cloud-v0.6.0 paulmataruso:v3.9.5_7.2.1 paulmataruso:v3.9.4_7.2.0 paulmataruso:v3.9.5_7.3.0-oss paulmataruso:v3.9.3_6.8.1 paulmataruso:v3.9.1_6.8.0 paulmataruso:v3.9.2_6.8.0 paulmataruso:v3.9.4_6.8.2 paulmataruso:v3.9.3_7.1.1-opendistro paulmataruso:v3.9.3_7.2.0-oss paulmataruso:v3.9.3_7.2.0 paulmataruso:v3.9.2_7.1.1 paulmataruso:v3.9.0_6.7.2 paulmataruso:v3.9.0_6.7.1 paulmataruso:v3.9.1_7.1.0 paulmataruso:v3.8.2_6.5.4 paulmataruso:v3.8.2_6.7.0 paulmataruso:v3.8.2_6.6.2 paulmataruso:v3.8.2_6.6.1 paulmataruso:v3.8.1_6.5.4 paulmataruso:v3.8.0_6.5.4 paulmataruso:v3.7.2_6.5.4 paulmataruso:v3.7.2_6.5.3 paulmataruso:v3.7.0_6.5.0 paulmataruso:3.1.0_6.1.1 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:v2.0
..
compare: paulmataruso:v0.9.0-rc1
Branches Tags
paulmataruso:2693-delete-config-files paulmataruso:main paulmataruso:4.14.1 paulmataruso:test_adapt_arm paulmataruso:4.10.4 paulmataruso:4.13.0-rc4-tag paulmataruso:2577-test-bucket paulmataruso:6.0.0 paulmataruso:change/1824-rootless-podman-with-selinux paulmataruso:test-arm-build paulmataruso:enhancement/1624-docker-compose-v2 paulmataruso:4.9.0 paulmataruso:461-centralize-conf-files paulmataruso:4.5 paulmataruso:4.4 paulmataruso:4.4.4 paulmataruso:4.3 paulmataruso:816-persistent-files-that-should-not-be-kept paulmataruso:817-automatic-release-of-docker-images paulmataruso:4.3.11 paulmataruso:3.13 paulmataruso:4.2 paulmataruso:4.1 paulmataruso:4.0 paulmataruso:4.0.4 paulmataruso:devel paulmataruso:3.11.2_7.5.1-oss paulmataruso:3.10.2_7.5.0 paulmataruso:3.10.0_7.3.2 paulmataruso:3.10.2_7.3.2 paulmataruso:3.10-wazuh-refactor paulmataruso:3.9.5_7.2.1 paulmataruso:3.9.4_7.2.0 paulmataruso:3.9.5_7.3.0-oss paulmataruso:3.10_7.3.0 paulmataruso:3.9.4_7.1.1-opendistro-security paulmataruso:3.9.3_6.8.1 paulmataruso:3.9.1_6.8.0 paulmataruso:3.9.2_6.8.0 paulmataruso:3.9.4_6.8.2 paulmataruso:3.9.3_7.1.1-opendistro paulmataruso:3.9.3_7.1.1-opendistro-security paulmataruso:3.9.3_7.2.0_oss paulmataruso:3.9.3_7.2.0 paulmataruso:3.9.2_7.1.1 paulmataruso:3.9.0_6.7.2 paulmataruso:3.9.0_6.7.1 paulmataruso:3.8.2_6.5.4-oss paulmataruso:3.9.1_7.1.0 paulmataruso:3.8.2_6.5.4 paulmataruso:3.10.0_7.0.0 paulmataruso:3.8.2_6.7.0 paulmataruso:3.8.2_6.6.2 paulmataruso:3.8.2_6.6.1 paulmataruso:6.8.2_6.6.1 paulmataruso:3.8.1_6.5.4 paulmataruso:3.8.0_6.5.4 paulmataruso:3.7.2_6.5.4 paulmataruso:3.7.2_6.5.3 paulmataruso:3.7.1_6.5.3 paulmataruso:3.7.0_6.5.0 paulmataruso:3.7.0_6.4.3 paulmataruso:3.6.1_6.4.2 paulmataruso:3.6.1_6.4.1 paulmataruso:3.6.1_6.4.0 paulmataruso:3.6.0_6.4.0 paulmataruso:3.5.0_6.3.2 paulmataruso:3.4.0_6.3.2 paulmataruso:3.4.0_6.3.1 paulmataruso:3.3.1_6.3.1 paulmataruso:3.3.1_6.3.0 paulmataruso:3.3.1_6.2.4 paulmataruso:3.3.0_6.2.4 paulmataruso:3.2.4_6.2.4 paulmataruso:3.2.3_6.2.4 paulmataruso:3.2.2_6.2.4 paulmataruso:3.2.1_6.2.4 paulmataruso:3.2.1_6.2.3 paulmataruso:3.2.1_6.2.2 paulmataruso:3.2.0_6.2.1 paulmataruso:3.1.0_6.1.3 paulmataruso:3.1.0_6.1.2 paulmataruso:3.1.0_6.1.1 paulmataruso:3.1.0_6.1.0 paulmataruso:2.1.1_5.6.4 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:2.0
paulmataruso:v4.14.0 paulmataruso:v4.13.1 paulmataruso:v4.13.0 paulmataruso:v4.10.3 paulmataruso:v4.10.2 paulmataruso:v4.12.0 paulmataruso:v4.11.2 paulmataruso:v4.11.1 paulmataruso:v4.11.0 paulmataruso:v4.10.1 paulmataruso:v4.10.0 paulmataruso:v4.9.2 paulmataruso:v4.9.1 paulmataruso:v4.9.0 paulmataruso:v4.8.2 paulmataruso:v4.8.1 paulmataruso:v4.8.0 paulmataruso:v4.7.5 paulmataruso:v4.7.4 paulmataruso:cloud-2.0.6 paulmataruso:cloud-2.0.7 paulmataruso:v4.7.3 paulmataruso:cloud-2.0.3 paulmataruso:cloud-2.0.2 paulmataruso:cloud-2.0.4 paulmataruso:v4.7.2 paulmataruso:v4.7.1 paulmataruso:cloud-v1.22.0 paulmataruso:v4.7.0 paulmataruso:cloud-v1.20.0 paulmataruso:cloud-v1.20.1 paulmataruso:cloud-v1.21.0 paulmataruso:v4.6.0 paulmataruso:v4.5.4 paulmataruso:v4.5.3 paulmataruso:v4.6.0-beta1 paulmataruso:v4.5.3-rc1 paulmataruso:v4.5.2 paulmataruso:v4.6.0-alpha1 paulmataruso:v4.5.1 paulmataruso:v4.5.1-rc2 paulmataruso:v4.5.1-rc1 paulmataruso:v4.5.0 paulmataruso:cloud-v1.18.5 paulmataruso:cloud-v1.18.4 paulmataruso:svc-envs-v1.18.3 paulmataruso:v4.4.5 paulmataruso:v4.6.0-pre-alpha1 paulmataruso:cloud-v1.18.1 paulmataruso:v4.4.4 paulmataruso:v4.4.3 paulmataruso:v4.4.2 paulmataruso:v4.3.11 paulmataruso:v4.4.1 paulmataruso:v4.4.0 paulmataruso:cloud-v1.17.4 paulmataruso:cloud-1.18.0 paulmataruso:v4.3.10 paulmataruso:v4.3.9 paulmataruso:cloud-v1.16.12 paulmataruso:v3.13.6_7.9.2 paulmataruso:v4.3.8 paulmataruso:v4.3.7 paulmataruso:v3.13.5 paulmataruso:cloud-v1.16.11 paulmataruso:svc-envs-v1.16.10 paulmataruso:cloud-v1.16.8 paulmataruso:v4.3.6 paulmataruso:v4.3.5 paulmataruso:cloud-v1.16.7 paulmataruso:test paulmataruso:cloud-v1.16.6 paulmataruso:v4.3.4 paulmataruso:v4.3.3 paulmataruso:cloud-v1.16.5 paulmataruso:v4.3.2 paulmataruso:v3.13.4_7.9.2 paulmataruso:v4.2.7 paulmataruso:cloud-v1.16.0 paulmataruso:v4.3.1 paulmataruso:v4.3.0 paulmataruso:v4.2.6 paulmataruso:cloud-v1.15.0 paulmataruso:v4.2.5 paulmataruso:v4.2.4 paulmataruso:v4.2.3 paulmataruso:v4.2.2 paulmataruso:v4.2.1 paulmataruso:v4.2.0 paulmataruso:v4.1.5 paulmataruso:v3.13.3_7.9.2 paulmataruso:v4.1.2 paulmataruso:v4.1.1 paulmataruso:v4.1.0 paulmataruso:v4.0.4_1.11.0 paulmataruso:cloud-v0.60.3 paulmataruso:v4.0.3_1.11.0 paulmataruso:v4.0.2_1.11.0 paulmataruso:cloud-v0.60.0 paulmataruso:v4.0.1_1.11.0 paulmataruso:v4.0.0_1.10.1 paulmataruso:v3.13.2_7.9.1 paulmataruso:v3.13.1_7.8.0 paulmataruso:cloud-v0.32.0 paulmataruso:cloud-v0.30.0 paulmataruso:v3.13.0_7.7.1 paulmataruso:cloud-v0.22.0 paulmataruso:v3.12.3_7.6.2 paulmataruso:cloud-v0.21.2 paulmataruso:cloud-v0.21.1 paulmataruso:v3.12.2_7.6.2 paulmataruso:v3.12.1_7.6.2 paulmataruso:cloud-v0.21.0 paulmataruso:v3.12.0_7.6.1 paulmataruso:cloud-v0.20.0 paulmataruso:v3.11.4_7.6.1 paulmataruso:v3.11.3_7.5.2 paulmataruso:v3.11.2_7.5.1 paulmataruso:cloud-v0.11.0 paulmataruso:v3.11.1_7.5.1 paulmataruso:v3.11.0_7.5.1 paulmataruso:cloud-v0.9.0 paulmataruso:v3.10.2_7.5.0 paulmataruso:v0.9.0-rc1 paulmataruso:v3.10.0_7.3.2 paulmataruso:v3.10.2_7.3.2 paulmataruso:cloud-v0.6.0 paulmataruso:v3.9.5_7.2.1 paulmataruso:v3.9.4_7.2.0 paulmataruso:v3.9.5_7.3.0-oss paulmataruso:v3.9.3_6.8.1 paulmataruso:v3.9.1_6.8.0 paulmataruso:v3.9.2_6.8.0 paulmataruso:v3.9.4_6.8.2 paulmataruso:v3.9.3_7.1.1-opendistro paulmataruso:v3.9.3_7.2.0-oss paulmataruso:v3.9.3_7.2.0 paulmataruso:v3.9.2_7.1.1 paulmataruso:v3.9.0_6.7.2 paulmataruso:v3.9.0_6.7.1 paulmataruso:v3.9.1_7.1.0 paulmataruso:v3.8.2_6.5.4 paulmataruso:v3.8.2_6.7.0 paulmataruso:v3.8.2_6.6.2 paulmataruso:v3.8.2_6.6.1 paulmataruso:v3.8.1_6.5.4 paulmataruso:v3.8.0_6.5.4 paulmataruso:v3.7.2_6.5.4 paulmataruso:v3.7.2_6.5.3 paulmataruso:v3.7.0_6.5.0 paulmataruso:3.1.0_6.1.1 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:v2.0

50 Commits
4.0 ... v0.9.0-rc1

Author SHA1 Message Date
AlfonsoRBJ
503200ea70 Remove kibana custom configuration (#279) 
Former-commit-id: fcca484a9e
 2019-12-05 11:52:03 +01:00
AlfonsoRBJ
a5013d2cf8 Remove Logstash pipeline customization (#280) 
Former-commit-id: 2b7171101b
 2019-12-05 11:48:15 +01:00
AlfonsoRBJ
bc693841fd Fixed the option to change Filebeat output (#268) 
Former-commit-id: 910caf6bd3
 2019-11-05 16:20:36 +01:00
Jesús Linares
202e1669c5 App 3.10.2 - 7.3.2 with security fix (#264) 
Former-commit-id: a8e0804e04
 2019-10-15 17:19:09 +02:00
Jesús Linares
9cdcf05d49 Merge pull request #263 from wazuh/elastic-7-cloud 
Former-commit-id: 4d6f09cec8
 2019-10-10 16:24:50 +02:00
AlfonsoRBJ
d15ea1ff51 Elasticserach 7 - Template mangement (#262) 
Former-commit-id: 2113b5b3d5
 2019-10-10 15:53:24 +02:00
AlfonsoRBJ
ddd37f0f9a Fixes for cloud Elastic 7 (#260) 
Former-commit-id: ca1578ed27
 2019-10-03 17:38:43 +02:00
AlfonsoRBJ
fdb55e8ce1 Elastic 7-x Docker refactor (#257) 
Former-commit-id: d3220826fc
 2019-10-01 13:10:01 +02:00
AlfonsoRBJ
086ba71c69 Elastic 7-x cloud adaption (#255) 
Former-commit-id: 6d9595327d
 2019-10-01 11:28:04 +02:00
Mayte Ariza
303e0f6557 Add wodles to permanent_data (#239) 
Former-commit-id: 7a8b332c93
 2019-09-06 15:29:25 +02:00
Mayte Ariza
1d35f292db Fix copy except files (#238) 
Former-commit-id: bd2fa5c40d
 2019-09-06 10:42:39 +02:00
Mayte Ariza
4c3f149428 Change v6.8.1 version to v6.8.2 (#237) 
Former-commit-id: c427c971a4
 2019-09-05 17:18:55 +02:00
Jesus Linares
7cb82937dc Update version: 3.9.4 - 6.8.1 
Former-commit-id: 0644dd36e0
 2019-09-05 10:56:51 +02:00
Jesús Linares
f494f6eca2 Merge pull request #236 from wazuh/cloud-0.6-debug 
Cloud 0.6 - fixes

Former-commit-id: 93eb42bb96
 2019-09-05 10:52:07 +02:00
AlfonsoRBJ
84a06e2fbc Wazuh 3.9.4 Elastic 6.8.1_3.9.3 
Former-commit-id: e88be1d4bb
 2019-09-05 10:29:55 +02:00
AlfonsoRBJ
c346863593 Merge branch 'issue-234-cloud0.6-wodles' into cloud-0.6-debug 
Former-commit-id: 62499ce622
 2019-09-05 10:22:32 +02:00
Mayte Ariza
dccb8aca54 Set filebeat to 6.8.1 
Former-commit-id: e22eba52b9
 2019-09-05 10:20:16 +02:00
Mayte Ariza
18971e3fde Remove 6.8.2 version 
Former-commit-id: abbe2f20e4
 2019-09-05 10:16:07 +02:00
Josemi Hernandez
7faed76e44 Added TLS version filter (#227) 
Former-commit-id: af007c69d4
 2019-09-05 09:46:55 +02:00
Mayte Ariza
f3e3abfaf0 Add agents.js 
Former-commit-id: 2c5a1f7c58
 2019-09-04 13:11:49 +02:00
Mayte Ariza
27c37d808a Changed versions: wazuh 3.9.4 and kibana 6.8.2 
Former-commit-id: 6b13810e6a
 2019-09-04 12:29:02 +02:00
AlfonsoRBJ
3a06c32e62 add minimun_master_nodes 
Former-commit-id: 816549c3b6
 2019-09-04 11:26:06 +02:00
AlfonsoRBJ
2918502fd1 save original elasticserach.yml 
Former-commit-id: eed444bbbb
 2019-09-04 11:11:59 +02:00
Mayte Ariza
d1eb6e7b98 Removed chmod command in entrypoint 
Former-commit-id: 9460780adb
 2019-09-04 08:38:43 +02:00
Mayte Ariza
6656fddf70 Added new volume: wodles folder 
Former-commit-id: 36e3fa403d
 2019-09-04 08:32:56 +02:00
AlfonsoRBJ
131d25979b improve workaround description 
Former-commit-id: 24da1f4d0f
 2019-09-03 16:31:55 +02:00
AlfonsoRBJ
abfe509753 workaround for wazuh-api issue 440 and 443 
Former-commit-id: d3cfd2234a
 2019-09-03 16:21:16 +02:00
AlfonsoRBJ
9d71a6cbcc install wazuh without custom package 
Former-commit-id: db733fc849
 2019-09-03 11:50:30 +02:00
AlfonsoRBJ
610f6f49ce add debug to S3 repository creation in elasticsearch image 
Former-commit-id: 0c571ad3f9
 2019-09-03 11:15:35 +02:00
AlfonsoRBJ
71933d6625 Merge branch 'k8s' into cloud-0.5 
Former-commit-id: 901c29c3ab
 2019-09-02 15:12:46 +02:00
Mayte Ariza
7afe64b238 Removed write permissions for group and other in Integrations folder (#226) 
* Removed go-w permissions in integrations folder

* Modified permissions command
 2019-08-27 13:31:04 +02:00
Daniel Ruiz
37f50dac1c Fix docker volumes error 
Former-commit-id: e8ecb63183
 2019-07-24 09:26:23 +02:00
Mayte Ariza
7c11a8568c Fixing remove files (#210) 2019-07-15 09:43:08 +02:00
Mayte Ariza
0bf9766883 Check if file exists before removing it (#209) 2019-07-15 08:37:31 +02:00
AlfonsoRBJ
59f60f63b6 Upgrade to 3.9.3_6.8.1 version (#207) 2019-07-12 16:35:26 +02:00
Mayte Ariza
c9ed007771 Permissions rw for group added (#206) 2019-07-12 16:03:32 +02:00
Mayte Ariza
15dbd60605 New volumes declaration in Wazuh Dockerfile (#203) 2019-07-09 13:59:36 +02:00
AlfonsoRBJ
eca30fb709 add CA correct management for Logstash (#202) 2019-07-08 18:32:36 +02:00
AlfonsoRBJ
065b5bb5cf Security for Elastic Stack (#196) 2019-07-08 14:02:19 +02:00
Mayte Ariza
d98ab1b4f3 Wazuh image improvements (#188) 2019-07-08 13:37:57 +02:00
AlfonsoRBJ
c077b496bd resolve merge conflicts from branch 3.9.2_6.8.0 2019-06-17 16:02:12 +02:00
Manuel J. Bernal
815039333d Updated CHANGELOG 2019-06-12 18:09:33 +02:00
Manuel J. Bernal
9b2ecdb47d Bump version 3.8.2_6.8.0 2019-06-12 18:08:23 +02:00
AlfonsoRBJ
651077e2c7 Update CHANGELOG.md 2019-06-04 13:12:46 +02:00
AlfonsoRBJ
d8ac9e617b Update CHANGELOG.md 2019-06-04 13:12:13 +02:00
AlfonsoRBJ
9db0001e08 conflicts resolved in merge 3.9.1_6.8.0 over k8s branch 2019-05-28 12:43:16 +02:00
Mayte Ariza
096246abcb Removing log files (#169) 2019-05-15 08:14:33 +02:00
AlfonsoRBJ
d2766454d0 Disable additionals X-Pack applications and hide unnecesary management links (#163) 2019-05-08 15:50:42 +02:00
Mayte Ariza
a88e5495d5 Merge branch '3.9.0_6.7.1' into k8s 2019-05-06 11:56:05 +02:00
Mayte Ariza
3f94f734d4 Removing logs from Wazuh image (#153) 2019-04-26 08:08:49 +02:00
92 changed files with 3991 additions and 7082 deletions
Expand all files Collapse all files

36
.github/workflows/push.yml vendored
View File

@@ -1,36 +0,0 @@
name: Wazuh Docker pipeline
on: [push]
jobs:
build-stack:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v2
- name: Build the docker-compose stack
run: docker-compose -f build-from-sources.yml up -d --build
- name: Check running containers
run: docker ps -a
- name: Shutdown the stack
run: docker-compose -f build-from-sources.yml kill
- name: Install Goss
uses: e1himself/goss-installation-action@v1.0.3
with:
version: v0.3.16
- name: Execute Goss tests (wazuh-odfe)
run: dgoss run wazuh/wazuh-odfe:dev-version
env:
GOSS_SLEEP: 30
GOSS_FILE: .goss.yaml
- name: Execute Goss tests (wazuh-kibana-odfe)
run: dgoss run wazuh/wazuh-kibana-odfe:dev-version
env:
GOSS_FILE: .goss.kibana.yaml

53
.goss.kibana.yaml
View File

@@ -1,53 +0,0 @@
file:
/usr/share/kibana/config/kibana.yml:
exists: true
mode: "0664"
owner: kibana
group: root
filetype: file
contains: []
/usr/share/kibana/optimize/bundles/light_theme.style.css:
exists: true
mode: "0664"
owner: kibana
group: root
filetype: file
contains: []
/usr/share/kibana/optimize/bundles/wazuh_logo_circle.svg:
exists: true
mode: "0644"
owner: kibana
group: root
filetype: file
contains: []
/usr/share/kibana/optimize/bundles/wazuh_wazuh_bg.svg:
exists: true
mode: "0644"
owner: kibana
group: root
filetype: file
contains: []
/usr/share/kibana/optimize/wazuh/config/wazuh.yml:
exists: true
mode: "0644"
owner: kibana
group: kibana
filetype: file
contains: []
/usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs:
exists: true
mode: "0664"
owner: kibana
group: root
filetype: file
contains: []
user:
kibana:
exists: true
groups:
- kibana
home: /usr/share/kibana
shell: /bin/bash
group:
kibana:
exists: true

115
.goss.yaml
View File

@@ -1,115 +0,0 @@
file:
/etc/filebeat/filebeat.yml:
exists: true
mode: "0644"
owner: root
group: root
filetype: file
contains: []
/var/ossec/bin/ossec-control:
exists: true
mode: "0750"
owner: root
group: root
filetype: file
contains: []
/var/ossec/etc/lists/audit-keys:
exists: true
mode: "0660"
owner: ossec
group: ossec
filetype: file
contains: []
/var/ossec/etc/ossec.conf:
exists: true
mode: "0660"
owner: root
group: ossec
filetype: file
contains: []
/var/ossec/etc/rules/local_rules.xml:
exists: true
mode: "0660"
owner: ossec
group: ossec
filetype: file
contains: []
/var/ossec/etc/sslmanager.cert:
exists: true
mode: "0640"
owner: root
group: root
filetype: file
contains: []
/var/ossec/etc/sslmanager.key:
exists: true
mode: "0640"
owner: root
group: root
filetype: file
contains: []
package:
filebeat:
installed: true
versions:
- 7.9.1
wazuh-manager:
installed: true
versions:
- 4.0.4
port:
tcp:1514:
listening: true
ip:
- 0.0.0.0
tcp:1515:
listening: true
ip:
- 0.0.0.0
tcp:55000:
listening: true
ip:
- 0.0.0.0
user:
ossec:
exists: true
groups:
- ossec
home: /var/ossec
shell: /sbin/nologin
ossecm:
exists: true
groups:
- ossec
home: /var/ossec
shell: /sbin/nologin
ossecr:
exists: true
groups:
- ossec
home: /var/ossec
shell: /sbin/nologin
group:
ossec:
exists: true
process:
filebeat:
running: true
ossec-analysisd:
running: true
ossec-authd:
running: true
ossec-execd:
running: true
ossec-monitord:
running: true
ossec-remoted:
running: true
ossec-syscheckd:
running: true
s6-supervise:
running: true
wazuh-db:
running: true
wazuh-modulesd:
running: true

179
CHANGELOG.md
View File

@@ -1,162 +1,6 @@
# Change Log
All notable changes to this project will be documented in this file.
## Wazuh Docker v4.0.4_1.11.0
### Added
- Update to Wazuh version [4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
## Wazuh Docker v4.0.3_1.11.0
### Added
- Update to Wazuh version 4.0.3
## Wazuh Docker v4.0.2_1.11.0
### Added
- Update to Wazuh version 4.0.2
## Wazuh Docker v4.0.1_1.11.0
### Added
- Update to Wazuh version 4.0.1
- Opendistro 1.11.0 compatiblity
- Re-enabled dumping ossec.log to stdout
## Wazuh Docker v4.0.0_1.10.1
### Added
- Update to Wazuh version 4.0.0
- Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame)) [#393](https://github.com/wazuh/wazuh-docker/pull/393)
- Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259)
- Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274)
- Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395)
- OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373)
### Changed
- Removal of Elastic images
## Wazuh Docker v3.13.2_7.9.1
### Added
- Update to Wazuh version 3.13.2_7.9.1
- Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372)
### Fixed
- Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377)
- Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378)
## Wazuh Docker v3.13.1_7.8.0
### Added
- Update to Wazuh version 3.13.1_7.8.0
## Wazuh Docker v3.13.0_7.7.1
### Added
- Update to Wazuh version 3.13.3_7.7.1
### Fixed
- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350)
- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356)
## Wazuh Docker v3.12.3_7.6.2
### Added
- Update to Wazuh version 3.12.3_7.6.2
## Wazuh Docker v3.12.2_7.6.2
### Added
- Update to Wazuh version 3.12.2_7.6.2
## Wazuh Docker v3.12.1_7.6.2
### Added
- Update to Wazuh version 3.12.1_7.6.2
### Fixed
- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323)
## Wazuh Docker v3.12.0_7.6.1
### Added
- Update to Wazuh version 3.12.0_7.6.1
## Wazuh Docker v3.11.4_7.6.1
### Added
- Update to Wazuh version 3.11.4_7.6.1
- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308)
### Fixed
- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303)
## Wazuh Docker v3.11.3_7.5.2
### Added
- Update to Wazuh version 3.11.3_7.5.2
## Wazuh Docker v3.11.2_7.5.1
### Added
- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
### Fixed
- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
## Wazuh Docker v3.11.1_7.5.1
### Added
- Update to Wazuh version 3.11.1_7.5.1
- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
## Wazuh Docker v3.11.0_7.5.1
### Added
- Update to Wazuh version 3.11.0_7.5.1
## Wazuh Docker v3.10.2_7.5.0
### Added
- Update to Wazuh version 3.10.2_7.5.0
## Wazuh Docker v3.10.2_7.3.2
### Added
@@ -182,6 +26,7 @@ All notable changes to this project will be documented in this file.
- Update to Wazuh version 3.9.4_7.2.0
- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
## Wazuh Docker v3.9.3_7.2.0
### Fixed
@@ -193,12 +38,21 @@ All notable changes to this project will be documented in this file.
- Update to Wazuh version 3.9.2_7.1.1
## Wazuh Docker v3.9.3_6.8.1
### Added
- Update to Wazuh version 3.9.3_6.8.1
- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
## Wazuh Docker v3.9.2_6.8.0
### Added
- Update to Wazuh version 3.9.2_6.8.0
## Wazuh Docker v3.9.1_7.1.0
### Added
@@ -211,11 +65,21 @@ All notable changes to this project will be documented in this file.
### Added
- Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
### Fixed
- Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
## Wazuh Docker v3.9.1_7.1.0
### Added
- Support for Elastic v7.1.0
- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
## Wazuh Docker v3.9.0_6.7.2
### Changed
@@ -224,6 +88,7 @@ All notable changes to this project will be documented in this file.
## Wazuh Docker v3.9.0_6.7.1
### Added
- Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))
@@ -308,7 +173,7 @@ All notable changes to this project will be documented in this file.
- Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
- Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
### Fixed
### Fixed
- Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))

2
LICENSE
View File

@@ -1,5 +1,5 @@
Portions Copyright (C) 2021 Wazuh, Inc.
Portions Copyright (C) 2019 Wazuh, Inc.
Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
This program is a free software; you can redistribute it and/or modify

176
README.md
View File

@@ -7,11 +7,12 @@
In this repository you will find the containers to run:
* wazuh-opendistro: It runs the Wazuh manager, Wazuh API and Filebeat OSS (for integration with ODFE)
* wazuh-kibana-opendistro: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
* opendistro-for-elasticsearch: An Elasticsearch (ODFE) container (working as a single-node cluster) using ODFE Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
In addition, a docker-compose file is provided to launch the containers mentioned above.
In addition, a docker-compose file is provided to launch the containers mentioned above.
* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
@@ -21,149 +22,42 @@ In addition, a docker-compose file is provided to launch the containers mentione
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
* [Docker hub](https://hub.docker.com/u/wazuh)
### Setup SSL certificate and Basic Authentication
Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth.
Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md).
## Environment Variables
Default values are included when available.
### Wazuh
```
API_USERNAME="wazuh" # Wazuh API username
API_PASSWORD="wazuh" # Wazuh API password - Must comply with requirements
# (8+ length, uppercase, lowercase, specials chars)
ELASTICSEARCH_URL=https://elasticsearch:9200 # Elasticsearch URL
ELASTIC_USERNAME=admin # Elasticsearch Username
ELASTIC_PASSWORD=admin # Elasticsearch Password
FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none)
SSL_CERTIFICATE_AUTHORITIES="" # Path of Filebeat SSL CA
SSL_CERTIFICATE="" # Path of Filebeat SSL Certificate
SSL_KEY="" # Path of Filebeat SSL Key
```
### Kibana
```
PATTERN="wazuh-alerts-*" # Default index pattern to use
CHECKS_PATTERN=true # Defines which checks must to be consider by the healthcheck
CHECKS_TEMPLATE=true # step once the Wazuh app starts. Values must to be true or false
CHECKS_API=true
CHECKS_SETUP=true
EXTENSIONS_PCI=true # Enable PCI Extension
EXTENSIONS_GDPR=true # Enable GDPR Extension
EXTENSIONS_HIPAA=true # Enable HIPAA Extension
EXTENSIONS_NIST=true # Enable NIST Extension
EXTENSIONS_TSC=true # Enable TSC Extension
EXTENSIONS_AUDIT=true # Enable Audit Extension
EXTENSIONS_OSCAP=false # Enable OpenSCAP Extension
EXTENSIONS_CISCAT=false # Enable CISCAT Extension
EXTENSIONS_AWS=false # Enable AWS Extension
EXTENSIONS_GCP=false # Enable GCP Extension
EXTENSIONS_VIRUSTOTAL=false # Enable Virustotal Extension
EXTENSIONS_OSQUERY=false # Enable OSQuery Extension
EXTENSIONS_DOCKER=false # Enable Docker Extension
APP_TIMEOUT=20000 # Defines maximum timeout to be used on the Wazuh app requests
API_SELECTOR=true Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
IP_SELECTOR=true # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
IP_IGNORE="[]" # List of index patterns to be ignored
WAZUH_MONITORING_ENABLED=true # Custom settings to enable/disable wazuh-monitoring indices
WAZUH_MONITORING_FREQUENCY=900 # Custom setting to set the frequency for wazuh-monitoring indices cron task
WAZUH_MONITORING_SHARDS=2 # Configure wazuh-monitoring-* indices shards and replicas
WAZUH_MONITORING_REPLICAS=0 #
ADMIN_PRIVILEGES=true # App privileges
```
## Directory structure
├── CHANGELOG.md
├── docker-compose.yml
├── generate-opendistro-certs.yml
├── kibana-odfe
│   ├── config
│   │   ── custom_welcome
│   │   │   ── light_theme.style.css
│   │   │   ├── template.js.hbs
│   │   │   ├── wazuh_logo_circle.svg
│   │   │   └── wazuh_wazuh_bg.svg
│   │   ── entrypoint.sh
│   │   ├── kibana_settings.sh
│   │   ├── wazuh_app_config.sh
│   │   ├── wazuh.yml
│   │   └── welcome_wazuh.sh
│   └── Dockerfile
├── LICENSE
├── production_cluster
│   ├── elastic_opendistro
│   │   ├── elasticsearch-node1.yml
│   │   ├── elasticsearch-node2.yml
│   │   ├── elasticsearch-node3.yml
│   │   └── internal_users.yml
│   ├── kibana_ssl
│   │   └── generate-self-signed-cert.sh
│   ── nginx
│   │   ├── nginx.conf
│   │   └── ssl
│   │   └── generate-self-signed-cert.sh
│   ├── ssl_certs
│   │   └── certs.yml
│   └── wazuh_cluster
│   ├── wazuh_manager.conf
│   └── wazuh_worker.conf
├── production-cluster.yml
├── README.md
├── VERSION
└── wazuh-odfe
├── config
│   ├── create_user.py
│   ├── etc
│   │   ├── cont-init.d
│   │   │   ├── 0-wazuh-init
│   │   │   ├── 1-config-filebeat
│   │   │   └── 2-manager
│   │   └── services.d
│   │   └── filebeat
│   │   ├── finish
│   │   └── run
│   ├── filebeat.yml
│   ├── permanent_data.env
│   ├── permanent_data.sh
│   └── wazuh.repo
└── Dockerfile
wazuh-docker
├── docker-compose.yml
├── kibana
│   ├── config
│   │   ├── entrypoint.sh
│   │   ── kibana.yml
│   ── Dockerfile
├── LICENSE
├── nginx
│   ├── config
│   │   ── entrypoint.sh
│   └── Dockerfile
├── README.md
├── CHANGELOG.md
├── VERSION
├── test.txt
└── wazuh
├── config
│   ├── data_dirs.env
│   ├── entrypoint.sh
│   ├── filebeat.runit.service
│   ├── filebeat.yml
│   ├── init.bash
│   ├── postfix.runit.service
│   ├── wazuh-api.runit.service
│   ── wazuh.runit.service
└── Dockerfile
## Branches
* `4.0` branch on correspond to the latest Wazuh-Docker stable version.
* `stable` branch on correspond to the latest Wazuh-Docker stable version.
* `master` branch contains the latest code, be aware of possible bugs on this branch.
* `Wazuh.Version_ElasticStack.Version` (for example 3.13.1_7.8.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
## Compatibility Matrix
| Wazuh version | ODFE |
|---------------|---------|
| v4.0.4 | 1.11.0 |
|---------------|---------|
| v4.0.3 | 1.11.0 |
|---------------|---------|
| v4.0.2 | 1.11.0 |
|---------------|---------|
| v4.0.1 | 1.11.0 |
|---------------|---------|
| v4.0.0 | 1.10.1 |
* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
## Credits and Thank you
@@ -176,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
## License and copyright
Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
## Web references

4
VERSION
View File

@@ -1,2 +1,2 @@
WAZUH-DOCKER_VERSION="4.0.4_1.11.0"
REVISION="40400"
WAZUH-DOCKER_VERSION="3.10.2_7.3.2"
REVISION="31020"

84
build-from-sources.yml
View File

@@ -1,84 +0,0 @@
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh:
build: wazuh-odfe/
image: wazuh/wazuh-odfe:dev-version
hostname: wazuh-manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=admin
- ELASTIC_PASSWORD=admin
- FILEBEAT_SSL_VERIFICATION_MODE=none
volumes:
- ossec_api_configuration:/var/ossec/api/configuration
- ossec_etc:/var/ossec/etc
- ossec_logs:/var/ossec/logs
- ossec_queue:/var/ossec/queue
- ossec_var_multigroups:/var/ossec/var/multigroups
- ossec_integrations:/var/ossec/integrations
- ossec_active_response:/var/ossec/active-response/bin
- ossec_agentless:/var/ossec/agentless
- ossec_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.11.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- discovery.type=single-node
- cluster.name=wazuh-cluster
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- bootstrap.memory_lock=true
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
kibana:
build: kibana-odfe/
image: wazuh/wazuh-kibana-odfe:dev-version
hostname: kibana
restart: always
ports:
- 443:5601
environment:
- ELASTICSEARCH_USERNAME=admin
- ELASTICSEARCH_PASSWORD=admin
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
- SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh:wazuh
volumes:
ossec_api_configuration:
ossec_etc:
ossec_logs:
ossec_queue:
ossec_var_multigroups:
ossec_integrations:
ossec_active_response:
ossec_agentless:
ossec_wodles:
filebeat_etc:
filebeat_var:

116
docker-compose.yml
View File

@@ -1,82 +1,92 @@
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
version: '2'
services:
wazuh:
image: wazuh/wazuh-odfe:4.0.4_1.11.0
image: wazuh/wazuh:3.10.2_7.3.2
hostname: wazuh-manager
restart: always
ports:
- "1514:1514"
- "1514:1514/udp"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=admin
- ELASTIC_PASSWORD=admin
- FILEBEAT_SSL_VERIFICATION_MODE=none
volumes:
- ossec_api_configuration:/var/ossec/api/configuration
- ossec_etc:/var/ossec/etc
- ossec_logs:/var/ossec/logs
- ossec_queue:/var/ossec/queue
- ossec_var_multigroups:/var/ossec/var/multigroups
- ossec_integrations:/var/ossec/integrations
- ossec_active_response:/var/ossec/active-response/bin
- ossec_agentless:/var/ossec/agentless
- ossec_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
# depends_on:
# - logstash
# logstash:
# image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
# hostname: logstash
# restart: always
# links:
# - elasticsearch:elasticsearch
# ports:
# - "5000:5000"
# depends_on:
# - elasticsearch
# environment:
# - LS_HEAP_SIZE=2048m
# - SECURITY_ENABLED=no
# - SECURITY_LOGSTASH_USER=service_logstash
# - SECURITY_LOGSTASH_PASS=logstash_pass
# - LOGSTASH_OUTPUT=https://elasticsearch:9200
# - ELASTICSEARCH_URL=https://elasticsearch:9200
# - SECURITY_CA_PEM=server.TEST-CA-signed.pem
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.11.0
image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- discovery.type=single-node
- cluster.name=wazuh-cluster
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ELASTICSEARCH_PROTOCOL=http
- ELASTICSEARCH_IP=elasticsearch
- ELASTICSEARCH_PORT=9200
- SECURITY_ENABLED=no
- SECURITY_ELASTIC_PASSWORD=elastic_pass
- SECURITY_MAIN_NODE=elasticsearch
- ELASTIC_CLUSTER=true
- CLUSTER_NODE_MASTER=true
- CLUSTER_MASTER_NODE_NAME=elasticsearch
- CLUSTER_NODE_DATA=true
- CLUSTER_NODE_INGEST=true
- CLUSTER_MAX_NODES=3
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 2g
kibana:
image: wazuh/wazuh-kibana-odfe:4.0.4_1.11.0
image: wazuh/wazuh-kibana:3.10.2_7.3.2
hostname: kibana
restart: always
ports:
- 443:5601
environment:
- ELASTICSEARCH_USERNAME=admin
- ELASTICSEARCH_PASSWORD=admin
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
- SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh:wazuh
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- SECURITY_ENABLED=no
- SECURITY_KIBANA_USER=service_kibana
- SECURITY_KIBANA_PASS=kibana_pass
- ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
ports:
- "5601:5601"
volumes:
ossec_api_configuration:
ossec_etc:
ossec_logs:
ossec_queue:
ossec_var_multigroups:
ossec_integrations:
ossec_active_response:
ossec_agentless:
ossec_wodles:
filebeat_etc:
filebeat_var:
nginx:
image: wazuh/wazuh-nginx:3.10.2_7.3.2
hostname: nginx
restart: always
environment:
- NGINX_PORT=443
- NGINX_CREDENTIALS
ports:
- "80:80"
- "443:443"
depends_on:
- kibana
links:
- kibana:kibana

96
elasticsearch/Dockerfile Normal file
View File

@@ -0,0 +1,96 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
ARG ELASTIC_VERSION=7.3.2
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
ARG TEMPLATE_VERSION=v3.10.2
ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
ENV API_USER="foo" \
API_PASS="bar"
ENV XPACK_ML="true"
ENV ENABLE_CONFIGURE_S3="false"
ENV WAZUH_ALERTS_SHARDS="1" \
WAZUH_ALERTS_REPLICAS="0"
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config
RUN yum install epel-release -y && \
yum install jq -y
# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate.
# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF
# Example:
# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
ARG SECURITY_CA_PEM_LOCATION=""
ARG SECURITY_CA_KEY_LOCATION=""
ARG SECURITY_OPENSSL_CONF_LOCATION=""
ARG SECURITY_CA_TRUST_LOCATION=""
# Elasticearch cluster configuration environment variables
# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
ENV ELASTIC_CLUSTER="false" \
CLUSTER_NAME="wazuh" \
CLUSTER_NODE_MASTER="false" \
CLUSTER_NODE_DATA="true" \
CLUSTER_NODE_INGEST="true" \
CLUSTER_MEMORY_LOCK="true" \
CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
CLUSTER_NUMBER_OF_MASTERS="2" \
CLUSTER_MAX_NODES="1" \
CLUSTER_DELAYED_TIMEOUT="1m" \
CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \
CLUSTER_DISCOVERY_SEED="elasticsearch"
# CA cert for Transport SSL
ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN bin/elasticsearch-plugin install repository-s3 -b
COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
COPY --chown=elasticsearch:elasticsearch ./config/15-get_CA_key.sh /entrypoint-scripts/15-get_CA_key.sh
COPY --chown=elasticsearch:elasticsearch ./config/20-security_instances.sh /entrypoint-scripts/20-security_instances.sh
COPY --chown=elasticsearch:elasticsearch ./config/22-security_certs.sh /entrypoint-scripts/22-security_certs.sh
COPY --chown=elasticsearch:elasticsearch ./config/24-security_configuration.sh /entrypoint-scripts/24-security_configuration.sh
COPY --chown=elasticsearch:elasticsearch ./config/26-security_keystore.sh /entrypoint-scripts/26-security_keystore.sh
COPY --chown=elasticsearch:elasticsearch ./config/30-decrypt_credentials.sh /entrypoint-scripts/30-decrypt_credentials.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-scripts/35-entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./
COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_policies.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_templates.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_aliases.sh ./
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
chmod +x /entrypoint-scripts/15-get_CA_key.sh && \
chmod +x /entrypoint-scripts/20-security_instances.sh && \
chmod +x /entrypoint-scripts/22-security_certs.sh && \
chmod +x /entrypoint-scripts/24-security_configuration.sh && \
chmod +x /entrypoint-scripts/26-security_keystore.sh && \
chmod +x /entrypoint-scripts/30-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/35-entrypoint.sh && \
chmod +x ./35-entrypoint_load_settings.sh && \
chmod 755 ./config/35-load_settings_configure_s3.sh && \
chmod +x ./35-load_settings_users_management.sh && \
chmod +x ./35-load_settings_policies.sh && \
chmod +x ./35-load_settings_templates.sh && \
chmod +x ./35-load_settings_aliases.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["elasticsearch"]

93
elasticsearch/config/10-config_cluster.sh Normal file
View File

@@ -0,0 +1,93 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
ELASTIC_HOSTAME=`hostname`
echo "CLUSTER: - Prepare Configuration"
echo "CLUSTER: - Hostname"
echo $ELASTIC_HOSTAME
echo "CLUSTER: - Security main node"
echo $SECURITY_MAIN_NODE
echo "CLUSTER: - Discovery seed"
echo $CLUSTER_DISCOVERY_SEED
echo "CLUSTER: - Elastic cluster flag"
echo $ELASTIC_CLUSTER
echo "CLUSTER: - Node Master"
echo $CLUSTER_NODE_MASTER
echo "CLUSTER: - Node Data"
echo $CLUSTER_NODE_DATA
echo "CLUSTER: - Node Ingest"
echo $CLUSTER_NODE_INGEST
cp $elastic_config_file $original_file
remove_single_node_conf(){
if grep -Fq "discovery.type" $1; then
sed -i '/discovery.type\: /d' $1
fi
}
remove_cluster_config(){
sed -i '/# cluster node/,/# end cluster config/d' $1
}
# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "CLUSTER: - Remove old configuration"
if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then
# Add the master configuration
# cluster.initial_master_nodes for bootstrap the cluster
echo "CLUSTER: - Add the master configuration"
cat > $elastic_config_file << EOF
# cluster node
cluster.name: $CLUSTER_NAME
bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
network.host: 0.0.0.0
node.name: $ELASTIC_HOSTAME
node.master: $CLUSTER_NODE_MASTER
node.data: $CLUSTER_NODE_DATA
node.ingest: $CLUSTER_NODE_INGEST
node.max_local_storage_nodes: $CLUSTER_MAX_NODES
cluster.initial_master_nodes:
- $ELASTIC_HOSTAME
# end cluster config"
EOF
elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "CLUSTER: - Add standard cluster configuration."
cat > $elastic_config_file << EOF
# cluster node
cluster.name: $CLUSTER_NAME
bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
network.host: 0.0.0.0
node.name: $ELASTIC_HOSTAME
node.master: $CLUSTER_NODE_MASTER
node.data: $CLUSTER_NODE_DATA
node.ingest: $CLUSTER_NODE_INGEST
node.max_local_storage_nodes: $CLUSTER_MAX_NODES
discovery.seed_hosts:
- $CLUSTER_DISCOVERY_SEED
# end cluster config"
EOF
fi
# If the cluster is disabled, then set a single-node configuration
else
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "discovery.type: single-node" >> $elastic_config_file
echo "CLUSTER: - Discovery type: single-node"
fi
echo "CLUSTER: - Configured"

11
elasticsearch/config/15-get_CA_key.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the CA key is encrypted, it must be decrypted for later use.
##############################################################################
echo "TO DO"
# TO DO

21
elasticsearch/config/20-security_instances.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# instances.yml
# This file is necessary for the creation of the Elasticsaerch certificate.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Setting Elasticserach security."
# instance.yml to be added by the user.
# Example:
# echo "
# instances:
# - name: \"elasticsearch\"
# dns:
# - \"elasticsearch\"
# " > /user/share/elasticsearch/instances.yml
fi

16
elasticsearch/config/22-security_certs.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Creation and management of certificates.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach security certificates."
# Creation of the certificate for Elasticsearch.
# After the execution of this script will have generated
# the Elasticsearch certificate and related keys and passphrase.
# Example: TO DO
fi

32
elasticsearch/config/24-security_configuration.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Adapt elasticsearch.yml configuration file
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach security configuration."
echo "SECURITY - Setting configuration options."
# Settings for elasticsearch.yml to be added by the user.
# Example:
# echo "
# # Required to set the passwords and TLS options
# xpack.security.enabled: true
# xpack.security.transport.ssl.enabled: true
# xpack.security.transport.ssl.verification_mode: certificate
# xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
# xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
# xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
# # HTTP layer
# xpack.security.http.ssl.enabled: true
# xpack.security.http.ssl.verification_mode: certificate
# xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
# xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
# xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
# " >> /usr/share/elasticsearch/config/elasticsearch.yml
fi

21
elasticsearch/config/26-security_keystore.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Adapt elasticsearch.yml keystore management
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach keystore management."
# Create keystore
# /usr/share/elasticsearch/bin/elasticsearch-keystore create
# Add keys to keystore by the user.
# Example
# echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
# echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
else
echo "SECURITY - Elasticsearch security not established."
fi

15
elasticsearch/config/30-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

70
elasticsearch/config/35-entrypoint.sh Normal file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.1/build/elasticsearch/bin/docker-entrypoint.sh
set -e
# Files created by Elasticsearch should always be group writable too
umask 0002
run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}
#Disabling xpack features
elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
if grep -Fq "#xpack features" "$elasticsearch_config_file" ;
then
declare -A CONFIG_MAP=(
[xpack.ml.enabled]=$XPACK_ML
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
fi
done
else
echo "
#xpack features
xpack.ml.enabled: $XPACK_ML
" >> $elasticsearch_config_file
fi
# Run load settings script.
bash /usr/share/elasticsearch/35-entrypoint_load_settings.sh &
# Execute elasticsearch
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "Change Elastic password"
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
else
input=${SECURITY_CREDENTIALS_FILE}
ELASTIC_PASSWORD_FROM_FILE=""
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
fi
done < "$input"
run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
fi
echo "Elastic password changed"
fi
run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch

265
elasticsearch/config/35-entrypoint_load_settings.sh Normal file
View File

@@ -0,0 +1,265 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url and Wazuh API url.
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
if [[ "x${WAZUH_API_URL}" = "x" ]]; then
wazuh_url="https://wazuh"
else
wazuh_url="${WAZUH_API_URL}"
fi
echo "LOAD SETTINGS - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password and
# WAZUH API credentials.
##############################################################################
ELASTIC_PASS=""
WAZH_API_USER=""
WAZH_API_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
WAZH_API_USER=${API_USER}
WAZH_API_PASS=${API_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
elif [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
arrIN=(${line//:/ })
WAZH_API_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "LOAD SETTINGS - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "LOAD SETTINGS - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "LOAD SETTINGS - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "LOAD SETTINGS - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "LOAD SETTINGS - Elastic is up - executing command"
##############################################################################
# Configure S3 repository for Elasticsearch snapshots.
##############################################################################
if [ $ENABLE_CONFIGURE_S3 ]; then
#Wait for Elasticsearch to be ready to create the repository
sleep 10
>&2 echo "S3 - Configure S3"
if [ "x$S3_PATH" != "x" ]; then
>&2 echo "S3 - Path: $S3_PATH"
if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
>&2 echo "S3 - Elasticsearch major version: $S3_ELASTIC_MAJOR"
echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
else
>&2 echo "S3 - Elasticserach major version not given."
echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
fi
fi
fi
##############################################################################
# Load custom policies.
##############################################################################
echo "LOAD SETTINGS - Loading custom Elasticsearch policies."
bash /usr/share/elasticsearch/35-load_settings_policies.sh
##############################################################################
# Modify wazuh-alerts template shards and replicas
##############################################################################
echo "LOAD SETTINGS - Change shards and replicas of wazuh-alerts template."
sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json
##############################################################################
# Load default templates
##############################################################################
echo "LOAD SETTINGS - Loading wazuh-alerts template"
bash /usr/share/elasticsearch/35-load_settings_templates.sh
##############################################################################
# Load custom aliases.
##############################################################################
echo "LOAD SETTINGS - Loading custom Elasticsearch aliases."
bash /usr/share/elasticsearch/35-load_settings_aliases.sh
##############################################################################
# Elastic Stack users creation.
# Only security main node can manage users.
##############################################################################
echo "LOAD SETTINGS - Run users_management.sh."
MY_HOSTNAME=`hostname`
echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
fi
##############################################################################
# Prepare Wazuh API credentials
##############################################################################
API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
API_PASSWORD=`echo -n $API_PASS_Q | base64`
echo "LOAD SETTINGS - Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
if [ "x$CONFIG_CODE" != "x200" ]; then
curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
{
"api_user": "'"$API_USER_Q"'",
"api_password": "'"$API_PASSWORD"'",
"url": "'"$wazuh_url"'",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "LOAD SETTINGS - Wazuh APP already configured"
echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x"
wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"`
full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type`
elasticsearch_request=`curl -s $auth "$el_url"`
full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number`
type=`echo "$full_type" | tr -d '"'`
elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'`
elasticsearch_major="${elasticsearch_version:0:1}"
if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then
echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major."
echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup."
curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
{
"source": {
"index": ".wazuh"
},
"dest": {
"index": ".wazuh-backup"
}
}
'
echo "LOAD SETTINGS - Remove .wazuh index."
curl -s ${auth} -XDELETE "$el_url/.wazuh"
echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh."
curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
{
"source": {
"index": ".wazuh-backup"
},
"dest": {
"index": ".wazuh"
}
}
'
curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d'
{
"index" : {
"number_of_replicas" : 0
}
}
'
fi
fi
sleep 5
curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'
##############################################################################
# Set cluster delayed timeout when node falls
##############################################################################
curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
{
"settings": {
"index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
}
}
'
echo "LOAD SETTINGS - cluster delayed timeout changed."
echo "LOAD SETTINGS - Elasticsearch is ready."

86
elasticsearch/config/35-load_settings_aliases.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "ALIASES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "ALIASES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "ALIASES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "ALIASES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "ALIASES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "ALIASES - Elastic is up - executing command"
##############################################################################
# Add custom aliases.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "ALIASES - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
# { "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'

107
elasticsearch/config/35-load_settings_configure_s3.sh Normal file
View File

@@ -0,0 +1,107 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials for
# monitoring
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u elastic:${ELASTIC_PASS} -k"
else
auth=""
fi
# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
# param 1: number of arguments passed to configure_s3.sh
function CheckArgs()
{
if [ $1 != 4 ] && [ $1 != 5 ];then
echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>"
exit 1
fi
}
# Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
# Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
# param 1: <Elastic_Server_IP:Port>
# param 2: <Bucket>
# param 3: <Path>
# param 4: <RepositoryName>
# param 5: Optional <Elasticsearch major version>
# output: It will show "acknowledged" if the repository has been successfully created
function CreateRepo()
{
elastic_ip_port="$2"
bucket_name="$3"
path="$4"
repository_name="$5"
if [ $1 == 5 ];then
version="$6"
else
version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
fi
if ! [[ "$version" =~ ^[0-9]+$ ]];then
echo "Elasticsearch major version must be an integer"
exit 1
fi
repository="$repository_name-$version"
s3_path="$path/$version"
>&2 echo "Create S3 repository"
until curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' {"type": "s3", "settings": { "bucket": "'$bucket_name'", "base_path": "'$s3_path'"} }'; do
>&2 echo "Elastic is unavailable, S3 repository not created - sleeping"
sleep 5
done
>&2 echo "S3 repository created"
}
# Run functions CheckArgs and CreateRepo
# param 1: number of arguments passed to configure_s3.sh
# param 2: <Elastic_Server_IP:Port>
# param 3: <Bucket>
# param 4: <Path>
# param 5: <RepositoryName>
# param 6: Optional <Elasticsearch major version>
function Main()
{
CheckArgs $1
CreateRepo $1 $2 $3 $4 $5 $6
}
Main $# $1 $2 $3 $4 $5

86
elasticsearch/config/35-load_settings_policies.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "POLICIES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "POLICIES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "POLICIES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "POLICIES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "POLICIES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "POLICIES - Elastic is up - executing command"
##############################################################################
# Add custom policies.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "POLICIES - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
# { "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'

81
elasticsearch/config/35-load_settings_templates.sh Normal file
View File

@@ -0,0 +1,81 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "TEMPLATES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "TEMPLATES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "TEMPLATES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "TEMPLATES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "TEMPLATES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "TEMPLATES - Elastic is up - executing command"
##############################################################################
# Add wazuh-alerts templates.
##############################################################################
echo "TEMPLATES - Loading default wazuh-alerts template."
cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-

100
elasticsearch/config/35-load_settings_users_management.sh Normal file
View File

@@ -0,0 +1,100 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "USERS - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "USERS - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "USERS - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "USERS - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "USERS - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "USERS - Elastic is up - executing command"
##############################################################################
# Setup passwords for Elastic Stack users.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "USERS - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/custom_user_role ' -d '
# { "indices": [ { "names": [ ".kibana*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*"], "privileges": ["all"] }] }'
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/custom_user' -d '
# { "password":"'$CUSTOM_USER_PASSWORD'", "roles" : [ "kibana_system", "custom_user_role"], "full_name" : "Custom User" }'
##############################################################################
# Remove credentials file.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "USERS - Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
echo "USERS - Security credentials file removed."
fi

132
elasticsearch/config/TEST_openssl.cnf Normal file
View File

@@ -0,0 +1,132 @@
# OpenSSL intermediate CA configuration file.
# Copy to `/root/ca/intermediate/openssl.cnf`.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

8
elasticsearch/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

10
generate-opendistro-certs.yml
View File

@@ -1,10 +0,0 @@
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3'
services:
generator:
image: wazuh/opendistro-certs-generator:0.1
hostname: opendistro-certs-generator
volumes:
- ./production_cluster/ssl_certs/certs.yml:/usr/src/config/myconf.yml
- ./production_cluster/ssl_certs/:/usr/src/certs/out/

60
kibana-odfe/Dockerfile
View File

@@ -1,60 +0,0 @@
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
FROM amazon/opendistro-for-elasticsearch-kibana:1.11.0
USER kibana
ARG ELASTIC_VERSION=7.9.1
ARG WAZUH_VERSION=4.0.4
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
WORKDIR /usr/share/kibana
RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
WORKDIR /
USER root
COPY config/entrypoint.sh ./entrypoint.sh
RUN chmod 755 ./entrypoint.sh
ENV PATTERN="" \
CHECKS_PATTERN="" \
CHECKS_TEMPLATE="" \
CHECKS_API="" \
CHECKS_SETUP="" \
EXTENSIONS_PCI="" \
EXTENSIONS_GDPR="" \
EXTENSIONS_HIPAA="" \
EXTENSIONS_NIST="" \
EXTENSIONS_TSC="" \
EXTENSIONS_AUDIT="" \
EXTENSIONS_OSCAP="" \
EXTENSIONS_CISCAT="" \
EXTENSIONS_AWS="" \
EXTENSIONS_GCP="" \
EXTENSIONS_VIRUSTOTAL="" \
EXTENSIONS_OSQUERY="" \
EXTENSIONS_DOCKER="" \
APP_TIMEOUT="" \
API_SELECTOR="" \
IP_SELECTOR="" \
IP_IGNORE="" \
WAZUH_MONITORING_ENABLED="" \
WAZUH_MONITORING_FREQUENCY="" \
WAZUH_MONITORING_SHARDS="" \
WAZUH_MONITORING_REPLICAS="" \
ADMIN_PRIVILEGES=""
USER kibana
RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize
COPY ./config/custom_welcome /tmp/custom_welcome
COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
RUN chmod +x ./welcome_wazuh.sh
ARG CHANGE_WELCOME="true"
RUN ./welcome_wazuh.sh
COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml
COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
RUN chmod +x ./wazuh_app_config.sh
COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
RUN chmod +x ./kibana_settings.sh
ENTRYPOINT ./entrypoint.sh

4349
kibana-odfe/config/custom_welcome/light_theme.style.css
View File

File diff suppressed because it is too large Load Diff

112
kibana-odfe/config/custom_welcome/template.js.hbs
View File

@@ -1,112 +0,0 @@
var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
window.__kbnStrictCsp__ = kbnCsp.strictCsp;
window.__kbnThemeTag__ = "{{themeTag}}";
window.__kbnPublicPath__ = {{publicPathMap}};
window.__kbnBundles__ = {{kbnBundlesLoaderSource}}
if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
legacyBrowserError.style.display = 'flex';
} else {
if (!window.__kbnCspNotEnforced__ && window.console) {
window.console.log("^ A single error about an inline script not firing due to content security policy is expected!");
}
var loadingMessage = document.getElementById('kbn_loading_message');
loadingMessage.style.display = 'flex';
window.onload = function () {
//WAZUH
var interval = setInterval(() => {
var title = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div")
if (!!title) {
clearInterval(interval);
var content = document.querySelector("#kibana-body > div");
content.classList.add("wz-login")
title.textContent = "Welcome to Wazuh";
var subtitle = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div")
subtitle.textContent = "The Open Source Security Platform";
var logo = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > figure");
logo.remove();
var logoContainer = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul");
$(logoContainer).prepend('<span class="loginWelcome__logo"></span>');
}
})
//
function failure() {
// make subsequent calls to failure() noop
failure = function () {};
var err = document.createElement('h1');
err.style['color'] = 'white';
err.style['font-family'] = 'monospace';
err.style['text-align'] = 'center';
err.style['background'] = '#F44336';
err.style['padding'] = '25px';
err.innerText = document.querySelector('[data-error-message]').dataset.errorMessage;
document.body.innerHTML = err.outerHTML;
}
var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]')
function loadStyleSheet(url, cb) {
var dom = document.createElement('link');
dom.rel = 'stylesheet';
dom.type = 'text/css';
dom.href = url;
dom.addEventListener('error', failure);
dom.addEventListener('load', cb);
document.head.insertBefore(dom, stylesheetTarget);
}
var scriptsTarget = document.querySelector('head meta[name="add-scripts-here"]')
function loadScript(url, cb) {
var dom = document.createElement('script');
{{!-- NOTE: async = false is used to trigger async-download/ordered-execution as outlined here: https://www.html5rocks.com/en/tutorials/speed/script-loading/ --}}
dom.async = false;
dom.src = url;
dom.addEventListener('error', failure);
dom.addEventListener('load', cb);
document.head.insertBefore(dom, scriptsTarget);
}
function load(urls, cb) {
var pending = urls.length;
urls.forEach(function (url) {
var innerCb = function () {
pending = pending - 1;
if (pending === 0 && typeof cb === 'function') {
cb();
}
}
if (typeof url !== 'string') {
load(url, innerCb);
} else if (url.slice(-4) === '.css') {
loadStyleSheet(url, innerCb);
} else {
loadScript(url, innerCb);
}
});
}
load([
{{#each jsDependencyPaths}}
'{{this}}',
{{/each}}
], function () {
{{#unless legacyBundlePath}}
__kbnBundles__.get('entry/core/public').__kbnBootstrap__();
{{/unless}}
load([
{{#if legacyBundlePath}}
'{{legacyBundlePath}}',
{{/if}}
{{#each styleSheetPaths}}
'{{this}}',
{{/each}}
]);
});
}
}

1
kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg
View File

@@ -1 +0,0 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 84.67 84.67"><defs><style>.a{fill:#fff;}.b{fill:#00a9e5;}</style></defs><title>wazuh_logo_circle</title><circle class="a" cx="42.34" cy="42.34" r="42.34"/><path class="b" d="M58.13,9.2,50,26.32H35.07L26.16,9.2,20,31l-8.53,9.72,19.18,17.6,7.47,17.21h8.53l7-16.91L73.24,40.83l-8.73-9.57ZM48.58,55.13a1.79,1.79,0,0,1-.74.62,2.49,2.49,0,0,1-1,.2,2.52,2.52,0,0,1-1-.2,1.84,1.84,0,0,1-.71-.62l-2.88-4.36-2.9,4.36a1.87,1.87,0,0,1-.72.62,2.48,2.48,0,0,1-.95.2,1.94,1.94,0,0,1-1.7-.82L21.3,41.37h4.09L37.87,52.3l2.49-3.89h3.93L47,52.3,59.63,40.9h3.74Z"/></svg>
Side by Side

Before

Width:  |  Height:  |  Size: 604 B

1
kibana-odfe/config/custom_welcome/wazuh_wazuh_bg.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 32 KiB

65
kibana-odfe/config/entrypoint.sh
View File

@@ -1,65 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Waiting for elasticsearch
##############################################################################
if [ "x${ELASTICSEARCH_URL}" == "x" ]; then
if [[ ${ENABLED_SECURITY} == "false" ]]; then
export el_url="http://elasticsearch:9200"
else
export el_url="https://elasticsearch:9200"
fi
else
export el_url="${ELASTICSEARCH_URL}"
fi
if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then
auth=""
# remove security plugin from kibana if elasticsearch is not using it either
/usr/share/kibana/bin/kibana-plugin remove opendistro_security
else
export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
fi
until curl -XGET $el_url ${auth}; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done
sleep 2
>&2 echo "Elasticsearch is up."
##############################################################################
# Waiting for wazuh alerts template
##############################################################################
strlen=0
while [[ $strlen -eq 0 ]]
do
template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "Wazuh alerts template is loaded."
./wazuh_app_config.sh
sleep 5
./kibana_settings.sh &
sleep 2
/usr/local/bin/kibana-docker

60
kibana-odfe/config/kibana_settings.sh
View File

@@ -1,60 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
WAZUH_MAJOR=4
##############################################################################
# Wait for the Kibana API to start. It is necessary to do it in this container
# because the others are running Elastic Stack and we can not interrupt them.
#
# The following actions are performed:
#
# Add the wazuh alerts index as default.
# Set the Discover time interval to 24 hours instead of 15 minutes.
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
##############################################################################
# Customize elasticsearch ip
##############################################################################
sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
# disable multitenancy
sed -i "s|opendistro_security.multitenancy.enabled:.*|opendistro_security.multitenancy.enabled: false|g" /usr/share/kibana/config/kibana.yml
# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
if [ "$KIBANA_INDEX" != "" ]; then
if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
fi
echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
fi
while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/app/login)" != "200" ]]; do
echo "Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done
# Prepare index selection.
echo "Kibana API is running"
default_index="/tmp/default_index.json"
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
}
}
EOF
sleep 5
# Add the wazuh alerts index as default.
curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
rm -f ${default_index}
sleep 5
# Configuring Kibana TimePicker.
curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
echo "End settings"

162
kibana-odfe/config/wazuh.yml
View File

@@ -1,162 +0,0 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2015-2021 Wazuh, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#checks.metaFields: true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.tsc : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.gcp : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# -------------------------------- API selector --------------------------------
#
# Defines if the user is allowed to change the selected
# API directly from the Wazuh app top menu.
# Default: true
#api.selector: true
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# -------------------------------- X-Pack RBAC ---------------------------------
#
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
# Default: enabled
#xpack.rbac.enabled: true
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-*
#
# --------------------------------- wazuh-cron ----------------------------------
#
# Customize the index prefix of predefined jobs
# This change is not retroactive, if you change it new indexes will be created
# cron.prefix: test
#
# ------------------------------ wazuh-statistics -------------------------------
#
# Custom setting to enable/disable statistics tasks.
#cron.statistics.status: true
#
# Enter the ID of the APIs you want to save data from, leave this empty to run
# the task on all configured APIs
#cron.statistics.apis: []
#
# Define the frequency of task execution using cron schedule expressions
#cron.statistics.interval: 0 0 * * * *
#
# Define the name of the index in which the documents are to be saved.
#cron.statistics.index.name: statistics
#
# Define the interval in which the index will be created
#cron.statistics.index.creation: w
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ---------------------------- Hide manager alerts ------------------------------
# Hide the alerts of the manager in all dashboards and discover
#hideManagerAlerts: false
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
# -------------------------------- Enrollment DNS -------------------------------
# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
# Default value: ''
#enrollment.dns: ''
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# username: <username>
# password: <password>

14
kibana-odfe/config/welcome_wazuh.sh
View File

@@ -1,14 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
if [[ $CHANGE_WELCOME == "true" ]]
then
echo "Set Wazuh app as the default landing page"
echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
echo "Set custom welcome styles"
cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs
cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/optimize/bundles/light_theme.style.css
cp -f /tmp/custom_welcome/*svg /usr/share/kibana/optimize/bundles/
fi

99
kibana/Dockerfile Normal file
View File

@@ -0,0 +1,99 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/kibana/kibana:7.3.2
ARG ELASTIC_VERSION=7.3.2
ARG WAZUH_VERSION=3.10.2
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
USER root
# App: 3.10.2 - 7.3.2 with this fix: https://github.com/wazuh/wazuh-kibana-app/issues/1815
#ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
COPY config/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
USER kibana
RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
USER root
RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
COPY config/entrypoint.sh ./entrypoint.sh
RUN chmod 755 ./entrypoint.sh
RUN mkdir /entrypoint-scripts
USER kibana
ENV CONFIGURATION_FROM_FILE="false"
ENV PATTERN="" \
CHECKS_PATTERN="" \
CHECKS_TEMPLATE="" \
CHECKS_API="" \
CHECKS_SETUP="" \
EXTENSIONS_PCI="" \
EXTENSIONS_GDPR="" \
EXTENSIONS_AUDIT="" \
EXTENSIONS_OSCAP="" \
EXTENSIONS_CISCAT="" \
EXTENSIONS_AWS="" \
EXTENSIONS_VIRUSTOTAL="" \
EXTENSIONS_OSQUERY="" \
APP_TIMEOUT="" \
WAZUH_SHARDS="" \
WAZUH_REPLICAS="" \
WAZUH_VERSION_SHARDS="" \
WAZUH_VERSION_REPLICAS="" \
IP_SELECTOR="" \
IP_IGNORE="" \
XPACK_RBAC_ENABLED="" \
WAZUH_MONITORING_ENABLED="" \
WAZUH_MONITORING_FREQUENCY="" \
WAZUH_MONITORING_SHARDS="" \
WAZUH_MONITORING_REPLICAS="" \
ADMIN_PRIVILEGES=""
ARG XPACK_CANVAS="false"
ARG XPACK_LOGS="false"
ARG XPACK_INFRA="false"
ARG XPACK_ML="false"
ARG XPACK_DEVTOOLS="false"
ARG XPACK_MONITORING="false"
ARG XPACK_APM="false"
ARG XPACK_MAPS="false"
ARG XPACK_UPTIME="false"
ARG XPACK_SIEM="false"
ARG CHANGE_WELCOME="true"
COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
COPY --chown=kibana:kibana ./config/15-decrypt_credentials.sh /entrypoint-scripts/15-decrypt_credentials.sh
COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./
COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./
RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
chmod +x /entrypoint-scripts/15-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/20-entrypoint.sh && \
chmod +x ./20-entrypoint_kibana_settings.sh && \
chmod +x ./20-entrypoint_certs_management.sh
COPY --chown=kibana:kibana ./config/xpack_config.sh ./
RUN chmod +x ./xpack_config.sh
RUN ./xpack_config.sh
COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
RUN chmod +x ./welcome_wazuh.sh
RUN ./welcome_wazuh.sh
RUN /usr/local/bin/kibana-docker --optimize
USER root
RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \
chmod 775 /usr/share/kibana/plugins/wazuh && \
chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \
chown root:kibana /usr/share/kibana/plugins/wazuh
USER kibana
ENTRYPOINT ./entrypoint.sh

38
kibana-odfe/config/wazuh_app_config.sh → kibana/config/10-wazuh_app_config.sh
View File

@@ -1,12 +1,7 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
wazuh_url="${WAZUH_API_URL:-https://wazuh}"
wazuh_port="${API_PORT:-55000}"
api_username="${API_USERNAME:-wazuh-wui}"
api_password="${API_PASSWORD:-wazuh-wui}"
kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml"
kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
declare -A CONFIG_MAP=(
[pattern]=$PATTERN
@@ -16,21 +11,20 @@ declare -A CONFIG_MAP=(
[checks.setup]=$CHECKS_SETUP
[extensions.pci]=$EXTENSIONS_PCI
[extensions.gdpr]=$EXTENSIONS_GDPR
[extensions.hipaa]=$EXTENSIONS_HIPAA
[extensions.nist]=$EXTENSIONS_NIST
[extensions.tsc]=$EXTENSIONS_TSC
[extensions.audit]=$EXTENSIONS_AUDIT
[extensions.oscap]=$EXTENSIONS_OSCAP
[extensions.ciscat]=$EXTENSIONS_CISCAT
[extensions.aws]=$EXTENSIONS_AWS
[extensions.gcp]=$EXTENSIONS_GCP
[extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
[extensions.osquery]=$EXTENSIONS_OSQUERY
[extensions.docker]=$EXTENSIONS_DOCKER
[timeout]=$APP_TIMEOUT
[api.selector]=$API_SELECTOR
[wazuh.shards]=$WAZUH_SHARDS
[wazuh.replicas]=$WAZUH_REPLICAS
[wazuh-version.shards]=$WAZUH_VERSION_SHARDS
[wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
[ip.selector]=$IP_SELECTOR
[ip.ignore]=$IP_IGNORE
[xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
[wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
[wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
[wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
@@ -44,21 +38,3 @@ do
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
fi
done
CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
grep -q 1513629884013 $kibana_config_file
_config_exists=$?
if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
cat << EOF >> $kibana_config_file
hosts:
- 1513629884013:
url: $wazuh_url
port: $wazuh_port
username: $api_username
password: $api_password
EOF
else
echo "Wazuh APP already configured"
fi

15
kibana/config/15-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

126
kibana/config/20-entrypoint.sh Normal file
View File

@@ -0,0 +1,126 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url.
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi
echo "ENTRYPOINT - Set Elasticsearc url:${ELASTICSEARCH_URL}"
##############################################################################
# If there are credentials for Kibana they are obtained.
##############################################################################
KIBANA_USER=""
KIBANA_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
fi
done < "$input"
fi
echo "ENTRYPOINT - Kibana credentials obtained."
##############################################################################
# Establish the way to run the curl command, with or without authentication.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
echo "ENTRYPOINT - Kibana authentication established."
##############################################################################
# Waiting for elasticsearch.
##############################################################################
until curl -XGET $el_url ${auth}; do
>&2 echo "ENTRYPOINT - Elastic is unavailable: sleeping"
sleep 5
done
sleep 2
>&2 echo "ENTRYPOINT - Elasticsearch is up."
##############################################################################
# Waiting for wazuh alerts template.
##############################################################################
strlen=0
while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
##############################################################################
# Create keystore if security is enabled.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "ENTRYPOINT - Create Keystore."
/usr/share/kibana/bin/kibana-keystore create
# Add keys to keystore
echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
echo "ENTRYPOINT - Keystore created."
fi
##############################################################################
# If security is enabled set Kibana configuration.
# Create the ssl certificate.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
bash /usr/share/kibana/20-entrypoint_certs_management.sh
fi
##############################################################################
# Run kibana_settings.sh script.
##############################################################################
bash /usr/share/kibana/20-entrypoint_kibana_settings.sh &
/usr/local/bin/kibana-docker

14
kibana/config/20-entrypoint_certs_management.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Kibana certs and keystore management
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CERTS_MANAGEMENT - Create certificates. TO DO."
# TO DO
fi

183
kibana/config/20-entrypoint_kibana_settings.sh Normal file
View File

@@ -0,0 +1,183 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
WAZUH_MAJOR=3
##############################################################################
# Wait for the Kibana API to start. It is necessary to do it in this container
# because the others are running Elastic Stack and we can not interrupt them.
#
# The following actions are performed:
#
# Add the wazuh alerts index as default.
# Set the Discover time interval to 24 hours instead of 15 minutes.
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
##############################################################################
# Customize elasticsearch ip
##############################################################################
if [[ "$ELASTICSEARCH_KIBANA_IP" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
fi
echo "SETTINGS - Update Elasticsearch host."
# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
if [[ "$KIBANA_INDEX" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
fi
echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
fi
# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
if [[ "$XPACK_SECURITY_ENABLED" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
fi
echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
fi
##############################################################################
# Get Kibana credentials
##############################################################################
if [ "$KIBANA_IP" != "" ]; then
kibana_ip="$KIBANA_IP"
else
kibana_ip="kibana"
fi
KIBANA_USER=""
KIBANA_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
fi
done < "$input"
fi
echo "SETTINGS - Kibana credentials obtained."
##############################################################################
# Set url authentication.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-k -u $KIBANA_USER:${KIBANA_PASS}"
kibana_secure_ip="https://$kibana_ip"
else
auth=""
kibana_secure_ip="http://$kibana_ip"
fi
echo "SETTINGS - Kibana authentication established."
##############################################################################
# Waiting for Kibana.
##############################################################################
while [[ "$(curl $auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
echo "SETTINGS - Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done
echo "SETTINGS - Kibana API is running"
##############################################################################
# Prepare index selection.
##############################################################################
echo "SETTINGS - Prepare index selection."
default_index="/tmp/default_index.json"
if [[ $PATTERN == "" ]]; then
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
}
}
EOF
else
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "$PATTERN"
}
}
EOF
fi
sleep 5
##############################################################################
# Add the wazuh alerts index as default.
##############################################################################
echo "SETTINGS - Add the wazuh alerts index as default."
curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
rm -f ${default_index}
sleep 5
##############################################################################
# Configuring Kibana TimePicker.
##############################################################################
echo "SETTINGS - Configuring Kibana TimePicker."
curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
sleep 5
##############################################################################
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
echo "SETTINGS - Do not ask user to help providing usage statistics to Elastic."
curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
##############################################################################
# Remove credentials file.
##############################################################################
echo "SETTINGS - Remove credentials file."
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
echo "End settings"

8
kibana/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

1
kibana/config/wazuhapp-3.10.2_7.3.2.zip.REMOVED.git-id Normal file
View File

@@ -0,0 +1 @@
3cbdd26d9eeaff99f91312f703adccd828723b3c

29
kibana/config/welcome_wazuh.sh Normal file
View File

@@ -0,0 +1,29 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
if [[ $CHANGE_WELCOME == "true" ]]
then
rm -rf ./optimize/bundles
kibana_path="/usr/share/kibana"
# Set Wazuh app as the default landing page
echo "Set Wazuh app as the default landing page"
echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml
# Redirect Kibana welcome screen to Discover
echo "Redirect Kibana welcome screen to Discover"
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/core/public/chrome/chrome_service.js
# Hide management undesired links
echo "Hide management undesired links"
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/rollup/public/crud_app/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/license_management/public/management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_lifecycle_management/public/register_management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/cross_cluster_replication/public/register_routes.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js
fi

43
kibana/config/xpack_config.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
kibana_config_file="/usr/share/kibana/config/kibana.yml"
if grep -Fq "#xpack features" "$kibana_config_file";
then
declare -A CONFIG_MAP=(
[xpack.apm.ui.enabled]=$XPACK_APM
[xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
[xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
[xpack.ml.enabled]=$XPACK_ML
[xpack.canvas.enabled]=$XPACK_CANVAS
[xpack.logstash.enabled]=$XPACK_LOGS
[xpack.infra.enabled]=$XPACK_INFRA
[xpack.monitoring.enabled]=$XPACK_MONITORING
[xpack.maps.enabled]=$XPACK_MAPS
[xpack.uptime.enabled]=$XPACK_UPTIME
[xpack.siem.enabled]=$XPACK_SIEM
[console.enabled]=$XPACK_DEVTOOLS
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
fi
done
else
echo "
#xpack features
xpack.apm.ui.enabled: $XPACK_APM
xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
xpack.ml.enabled: $XPACK_ML
xpack.canvas.enabled: $XPACK_CANVAS
xpack.logstash.enabled: $XPACK_LOGS
xpack.infra.enabled: $XPACK_INFRA
xpack.monitoring.enabled: $XPACK_MONITORING
xpack.maps.enabled: $XPACK_MAPS
xpack.uptime.enabled: $XPACK_UPTIME
xpack.siem.enabled: $XPACK_SIEM
console.enabled: $XPACK_DEVTOOLS
" >> $kibana_config_file
fi

46
logstash/Dockerfile Normal file
View File

@@ -0,0 +1,46 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
ARG LOGSTASH_VERSION=7.3.2
FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN rm -f /usr/share/logstash/pipeline/logstash.conf
ENV PIPELINE_FROM_FILE="false"
COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
# This CA is created for testing. Please set your own CA pem signed certificate.
# command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
# ENV variables are necessary: SECURITY_CA_PEM
# Sample:
# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
ARG SECURITY_CA_PEM_LOCATION=""
ARG SECURITY_CA_PEM_ARG=""
# CA for secure communication with Elastic
ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
# Set permissions for CA
USER root
RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
# Add entrypoint scripts
RUN mkdir /entrypoint-scripts
RUN chmod -R 774 /entrypoint-scripts
RUN chown -R logstash:logstash /entrypoint-scripts
COPY --chown=logstash:logstash ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
COPY --chown=logstash:logstash ./config/10-entrypoint_configuration.sh ./config/10-entrypoint_configuration.sh
RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/10-entrypoint.sh && \
chmod +x ./config/10-entrypoint_configuration.sh
USER logstash
ENTRYPOINT /entrypoint.sh

48
logstash/config/01-wazuh.conf Normal file
View File

@@ -0,0 +1,48 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
# ssl => true
# ssl_certificate => "/etc/logstash/logstash.crt"
# ssl_key => "/etc/logstash/logstash.key"
}
}
filter {
json {
source => "message"
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
}
}

15
logstash/config/05-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

163
logstash/config/10-entrypoint.sh Normal file
View File

@@ -0,0 +1,163 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Set elasticsearch url.
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi
echo "ENTRYPOINT - Elasticsearch url: $el_url"
##############################################################################
# Get Logstash credentials.
##############################################################################
LOGSTASH_USER=""
LOGSTASH_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_PASS=${arrIN[1]}
elif [[ $line == *"LOGSTASH_USER"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_USER=${arrIN[1]}
fi
done < "$input"
fi
echo "ENTRYPOINT - Logstash credentials obtained."
##############################################################################
# Set authentication for curl command.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
echo "ENTRYPOINT - curl authentication established"
##############################################################################
# Customize logstash output ip.
##############################################################################
if [ "$LOGSTASH_OUTPUT" != "" ]; then
>&2 echo "ENTRYPOINT - Customize Logstash ouput ip."
sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
if [[ "$PIPELINE_FROM_FILE" == "false" ]]; then
sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
fi
fi
##############################################################################
# Waiting for elasticsearch.
##############################################################################
until curl $auth -XGET $el_url; do
>&2 echo "ENTRYPOINT - Elastic is unavailable - sleeping."
sleep 5
done
sleep 2
>&2 echo "ENTRYPOINT - Elasticsearch is up."
##############################################################################
# Create keystore if security is enabled.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "ENTRYPOINT - Create Keystore."
## Create secure keystore
SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
/usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
## Settings for logstash.yml
bash /usr/share/logstash/config/10-entrypoint_configuration.sh
## Add keys to the keystore
echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
fi
##############################################################################
# Waiting for wazuh alerts template
##############################################################################
strlen=0
while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
##############################################################################
# Remove credentials file
##############################################################################
>&2 echo "ENTRYPOINT - Removing unnecessary files."
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "ENTRYPOINT - Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
>&2 echo "ENTRYPOINT - Unnecessary files removed."
##############################################################################
# Map environment variables to entries in logstash.yml.
# Note that this will mutate logstash.yml in place if any such settings are found.
# This may be undesirable, especially if logstash.yml is bind-mounted from the
# host system.
##############################################################################
env2yaml /usr/share/logstash/config/logstash.yml
export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
exec logstash "$@"
else
exec "$@"
fi

27
logstash/config/10-entrypoint_configuration.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Adapt logstash.yml configuration.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CONFIGURATION - TO DO"
# Settings for logstash.yml
# Example:
# echo "
# xpack.monitoring.enabled: true
# xpack.monitoring.elasticsearch.username: LOGSTASH_USER
# xpack.monitoring.elasticsearch.password: LOGSTASH_PASS
# xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/CA.pem
# " >> /usr/share/logstash/config/logstash.yml
fi

8
logstash/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

19
nginx/Dockerfile Normal file
View File

@@ -0,0 +1,19 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM nginx:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install -y openssl apache2-utils
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
VOLUME ["/etc/nginx/conf.d"]
ENV NGINX_NAME="foo" \
NGINX_PWD="bar"
ENTRYPOINT /entrypoint.sh

79
nginx/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,79 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
# Generating certificates.
if [ ! -d /etc/nginx/conf.d/ssl ]; then
echo "Generating SSL certificates"
mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
else
echo "SSL certificates already present"
fi
# Setting users credentials.
# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
#
# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
# export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
#
# b) Set NGINX_CREDENTIALS in docker-compose.yml:
# NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
# NGINX_CREDENTIALS=user1:pass1;user2:pass2
#
if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
echo "Setting users credentials"
if [ ! -z "$NGINX_CREDENTIALS" ]; then
IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
for index in "${!users[@]}"
do
IFS=':' read -r -a credentials <<< "${users[index]}"
if [ $index -eq 0 ]; then
echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
else
echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
fi
done
else
# NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile
echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
fi
else
echo "Kibana credentials already configured"
fi
if [ "x${NGINX_PORT}" = "x" ]; then
NGINX_PORT=443
fi
if [ "x${KIBANA_HOST}" = "x" ]; then
KIBANA_HOST="kibana:5601"
fi
echo "Configuring NGINX"
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
listen [::]:80;
return 301 https://\$host:${NGINX_PORT}\$request_uri;
}
server {
listen ${NGINX_PORT} default_server;
listen [::]:${NGINX_PORT};
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://${KIBANA_HOST}/;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
EOF
nginx -g 'daemon off;'

204
production-cluster.yml
View File

@@ -1,204 +0,0 @@
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh-master:
image: wazuh/wazuh-odfe:4.0.4_1.11.0
hostname: wazuh-master
restart: always
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=admin
- ELASTIC_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=acme-user
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ossec-api-configuration:/var/ossec/api/configuration
- ossec-etc:/var/ossec/etc
- ossec-logs:/var/ossec/logs
- ossec-queue:/var/ossec/queue
- ossec-var-multigroups:/var/ossec/var/multigroups
- ossec-integrations:/var/ossec/integrations
- ossec-active-response:/var/ossec/active-response/bin
- ossec-agentless:/var/ossec/agentless
- ossec-wodles:/var/ossec/wodles
- filebeat-etc:/etc/filebeat
- filebeat-var:/var/lib/filebeat
- ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
- ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
- ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
- ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh-worker:
image: wazuh/wazuh-odfe:4.0.4_1.11.0
hostname: wazuh-worker
restart: always
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- ELASTIC_USERNAME=admin
- ELASTIC_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
volumes:
- worker-ossec-api-configuration:/var/ossec/api/configuration
- worker-ossec-etc:/var/ossec/etc
- worker-ossec-logs:/var/ossec/logs
- worker-ossec-queue:/var/ossec/queue
- worker-ossec-var-multigroups:/var/ossec/var/multigroups
- worker-ossec-integrations:/var/ossec/integrations
- worker-ossec-active-response:/var/ossec/active-response/bin
- worker-ossec-agentless:/var/ossec/agentless
- worker-ossec-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
- ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
- ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
- ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
- ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.11.0
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-1:/usr/share/elasticsearch/data
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
- ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key
- ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem
- ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
elasticsearch-2:
image: amazon/opendistro-for-elasticsearch:1.11.0
hostname: elasticsearch-2
restart: always
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-2:/usr/share/elasticsearch/data
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
- ./production_cluster/ssl_certs/node2.key:/usr/share/elasticsearch/config/node2.key
- ./production_cluster/ssl_certs/node2.pem:/usr/share/elasticsearch/config/node2.pem
- ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
elasticsearch-3:
image: amazon/opendistro-for-elasticsearch:1.11.0
hostname: elasticsearch-3
restart: always
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- elastic-data-3:/usr/share/elasticsearch/data
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
- ./production_cluster/ssl_certs/node3.key:/usr/share/elasticsearch/config/node3.key
- ./production_cluster/ssl_certs/node3.pem:/usr/share/elasticsearch/config/node3.pem
- ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
kibana:
image: wazuh/wazuh-kibana-odfe:4.0.4_1.11.0
hostname: kibana
restart: always
ports:
- 5601:5601
environment:
- ELASTICSEARCH_USERNAME=admin
- ELASTICSEARCH_PASSWORD=SecretPassword
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem
- SERVER_SSL_KEY=/usr/share/kibana/config/key.pem
- WAZUH_API_URL="https://wazuh-master"
- API_USERNAME=acme-user
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem
- ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh-master:wazuh-master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "80:80"
- "443:443"
- "1514:1514"
depends_on:
- wazuh-master
- wazuh-worker
- kibana
links:
- wazuh-master:wazuh-master
- wazuh-worker:wazuh-worker
- kibana:kibana
volumes:
- ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
volumes:
ossec-api-configuration:
ossec-etc:
ossec-logs:
ossec-queue:
ossec-var-multigroups:
ossec-integrations:
ossec-active-response:
ossec-agentless:
ossec-wodles:
filebeat-etc:
filebeat-var:
worker-ossec-api-configuration:
worker-ossec-etc:
worker-ossec-logs:
worker-ossec-queue:
worker-ossec-var-multigroups:
worker-ossec-integrations:
worker-ossec-active-response:
worker-ossec-agentless:
worker-ossec-wodles:
worker-filebeat-etc:
worker-filebeat-var:
elastic-data-1:
elastic-data-2:
elastic-data-3:

31
production_cluster/elastic_opendistro/elasticsearch-node1.yml
View File

@@ -1,31 +0,0 @@
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: node1.pem
opendistro_security.ssl.transport.pemkey_filepath: node1.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node1.pem
opendistro_security.ssl.http.pemkey_filepath: node1.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false

31
production_cluster/elastic_opendistro/elasticsearch-node2.yml
View File

@@ -1,31 +0,0 @@
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch-2
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: node2.pem
opendistro_security.ssl.transport.pemkey_filepath: node2.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node2.pem
opendistro_security.ssl.http.pemkey_filepath: node2.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false

31
production_cluster/elastic_opendistro/elasticsearch-node3.yml
View File

@@ -1,31 +0,0 @@
network.host: 0.0.0.0
cluster.name: wazuh-cluster
node.name: elasticsearch-3
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
bootstrap.memory_lock: true
opendistro_security.ssl.transport.pemcert_filepath: node3.pem
opendistro_security.ssl.transport.pemkey_filepath: node3.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node3.pem
opendistro_security.ssl.http.pemkey_filepath: node3.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.nodes_dn:
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
opendistro_security.authcz.admin_dn: []
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
#opendistro_security.audit.config.disabled_rest_categories: NONE
#opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.audit.log_request_body: false

56
production_cluster/elastic_opendistro/internal_users.yml
View File

@@ -1,56 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

12
production_cluster/kibana_ssl/generate-self-signed-cert.sh
View File

@@ -1,12 +0,0 @@
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd $DIR
if [ -s key.pem ]
then
echo "Certificate already exists"
exit
else
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
fi

67
production_cluster/nginx/nginx.conf
View File

@@ -1,67 +0,0 @@
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
gzip on;
# kibana UI
server {
listen 80;
listen [::]:80;
return 301 https://$host:443$request_uri;
}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
location / {
proxy_pass https://kibana:5601/;
proxy_ssl_verify off;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
}
# load balancer for Wazuh cluster
stream {
upstream mycluster {
hash $remote_addr consistent;
server wazuh-master:1514;
server wazuh-worker:1514;
}
server {
listen 1514;
proxy_pass mycluster;
}
}

12
production_cluster/nginx/ssl/generate-self-signed-cert.sh
View File

@@ -1,12 +0,0 @@
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd $DIR
if [ -s key.pem ]
then
echo "Certificate already exists"
exit
else
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
fi

30
production_cluster/ssl_certs/certs.yml
View File

@@ -1,30 +0,0 @@
ca:
root:
dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
pkPassword: none
keysize: 2048
file: root-ca.pem
intermediate:
dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
keysize: 2048
validityDays: 3650
pkPassword: intermediate-ca-password
file: intermediate-ca.pem
nodes:
- name: node1
dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
dns:
- elasticsearch
- name: node2
dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
dns:
- elasticsearch-2
- name: node3
dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
dns:
- elasticsearch-3
- name: filebeat
dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
dns:
- wazuh

349
production_cluster/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,349 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>4.2.2.1</white_list>
<white_list>4.2.2.2</white_list>
<white_list>208.67.220.220</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>manager</node_name>
<node_type>master</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

349
production_cluster/wazuh_cluster/wazuh_worker.conf
View File

@@ -1,349 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>4.2.2.1</white_list>
<white_list>4.2.2.2</white_list>
<white_list>208.67.220.220</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>worker01</node_name>
<node_type>worker</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

51
wazuh-odfe/Dockerfile
View File

@@ -1,51 +0,0 @@
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
FROM centos:7
ARG FILEBEAT_VERSION=7.9.1
ARG WAZUH_VERSION=4.0.4-1
ARG TEMPLATE_VERSION="master"
ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
# Set repositories.
RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
RUN yum --enablerepo=updates clean metadata && \
yum -y install openssl which expect openssh-clients && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
yum clean all && rm -rf /var/cache/yum
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\
rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm
RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
ARG S6_VERSION="v2.1.0.2"
RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
-o /tmp/s6-overlay-amd64.tar.gz && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
rm /tmp/s6-overlay-amd64.tar.gz
COPY config/filebeat.yml /etc/filebeat/
RUN chmod go-w /etc/filebeat/filebeat.yml
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
RUN chmod go-w /etc/filebeat/wazuh-template.json
COPY config/etc/ /etc/
COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
# Prepare permanent data
# Sync calls are due to https://github.com/docker/docker/issues/9547
COPY config/permanent_data.env config/permanent_data.sh /
RUN chmod 755 /permanent_data.sh && \
sync && /permanent_data.sh && \
sync && rm /permanent_data.sh
# Services ports
EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
ENTRYPOINT [ "/init" ]

97
wazuh-odfe/config/create_user.py
View File

@@ -1,97 +0,0 @@
import logging
import sys
import json
import random
import string
import os
# Set framework path
sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
SPECIAL_CHARS = "@$!%*?&-_"
try:
from wazuh.security import (
create_user,
get_users,
get_roles,
set_user_role,
update_user,
)
except Exception as e:
logging.error("No module 'wazuh' found.")
sys.exit(1)
def read_user_file(path=USER_FILE_PATH):
with open(path) as user_file:
data = json.load(user_file)
return data["username"], data["password"]
def db_users():
users_result = get_users()
return {user["username"]: user["id"] for user in users_result.affected_items}
def db_roles():
roles_result = get_roles()
return {role["name"]: role["id"] for role in roles_result.affected_items}
def disable_user(uid):
random_pass = "".join(
random.choices(
string.ascii_uppercase
+ string.ascii_lowercase
+ string.digits
+ SPECIAL_CHARS,
k=8,
)
)
# assure there must be at least one character from each group
random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
random_pass = ''.join(random.sample(random_pass,len(random_pass)))
update_user(
user_id=[
str(uid),
],
password=random_pass,
)
if __name__ == "__main__":
if not os.path.exists(USER_FILE_PATH):
# abort if no user file detected
sys.exit(0)
username, password = read_user_file()
initial_users = db_users()
if username not in initial_users:
# create a new user
create_user(username=username, password=password)
users = db_users()
uid = users[username]
roles = db_roles()
rid = roles["administrator"]
set_user_role(
user_id=[
str(uid),
],
role_ids=[
str(rid),
],
)
else:
# modify an existing user ("wazuh" or "wazuh-wui")
uid = initial_users[username]
update_user(
user_id=[
str(uid),
],
password=password,
)
# disable unused default users
for def_user in ['wazuh', 'wazuh-wui']:
if def_user != username:
disable_user(initial_users[def_user])

45
wazuh-odfe/config/etc/cont-init.d/1-config-filebeat
View File

@@ -1,45 +0,0 @@
#!/usr/bin/with-contenv bash
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
set -e
if [ "$ELASTICSEARCH_URL" != "" ]; then
>&2 echo "Customize Elasticsearch ouput IP"
sed -i "s|hosts:.*|hosts: ['$ELASTICSEARCH_URL']|g" /etc/filebeat/filebeat.yml
fi
# Configure filebeat.yml security settings
if [ "$ELASTIC_USERNAME" != "" ]; then
>&2 echo "Configuring username."
sed -i "s|#username:.*|username: '$ELASTIC_USERNAME'|g" /etc/filebeat/filebeat.yml
fi
if [ "$ELASTIC_PASSWORD" != "" ]; then
>&2 echo "Configuring password."
sed -i "s|#password:.*|password: '$ELASTIC_PASSWORD'|g" /etc/filebeat/filebeat.yml
fi
if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then
>&2 echo "Configuring SSL verification mode."
sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode: $FILEBEAT_SSL_VERIFICATION_MODE|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
>&2 echo "Configuring Certificate Authorities."
sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_CERTIFICATE" != "" ]; then
>&2 echo "Configuring SSL Certificate."
sed -i "s|#ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_KEY" != "" ]; then
>&2 echo "Configuring SSL Key."
sed -i "s|#ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml
fi
chmod go-w /etc/filebeat/filebeat.yml || true
chown root: /etc/filebeat/filebeat.yml || true

113
wazuh-odfe/config/etc/cont-init.d/2-manager
View File

@@ -1,113 +0,0 @@
#!/usr/bin/with-contenv bash
##############################################################################
# Migration sequence
# Detect if there is a mounted volume on /wazuh-migration and copy the data
# to /var/ossec, finally it will create a flag ".migration-completed" inside
# the mounted volume
##############################################################################
function __colortext()
{
echo -e " \e[1;$2m$1\e[0m"
}
function echogreen()
{
echo $(__colortext "$1" "32")
}
function echoyellow()
{
echo $(__colortext "$1" "33")
}
function echored()
{
echo $(__colortext "$1" "31")
}
function_wazuh_migration(){
if [ -d "/wazuh-migration" ]; then
if [ ! -e /wazuh-migration/.migration-completed ]; then
if [ ! -e /wazuh-migration/global.db ]; then
echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
return
fi
\cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
chown root:ossec /var/ossec/etc/ossec.conf
chmod 640 /var/ossec/etc/ossec.conf
\cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
chown ossec:ossec /var/ossec/etc/client.keys
chmod 640 /var/ossec/etc/client.keys
\cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
\cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
\cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
chown ossec:ossec /var/ossec/etc/shared/default/agent.conf
chmod 660 /var/ossec/etc/shared/default/agent.conf
\cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
chown ossec:ossec /var/ossec/etc/decoders/*
chmod 660 /var/ossec/etc/decoders/*
\cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
chown ossec:ossec /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
if [ -e /wazuh-migration/data/agentless/.passlist ]; then
\cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
chown root:ossec /var/ossec/agentless/.passlist
chmod 640 /var/ossec/agentless/.passlist
fi
\cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
chown ossec:ossec /var/ossec/queue/db/global.db
chmod 640 /var/ossec/queue/db/global.db
# mark volume as migrated
touch /wazuh-migration/.migration-completed
echogreen "Migration completed succesfully"
else
echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
fi
fi
}
function_create_custom_user() {
if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then
cat << EOF > /var/ossec/api/configuration/admin.json
{
"username": "$API_USERNAME",
"password": "$API_PASSWORD"
}
EOF
# create or customize API user
if /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py; then
# remove json if exit code is 0
rm /var/ossec/api/configuration/admin.json
else
echored "There was an error configuring the API user"
# terminate container to avoid unpredictable behavior
exec s6-svscanctl -t /var/run/s6/services
exit 1
fi
fi
}
# Migrate data from /wazuh-migration volume
function_wazuh_migration
# create API custom user
function_create_custom_user
# Start Wazuh
/var/ossec/bin/ossec-control start

6
wazuh-odfe/config/etc/services.d/filebeat/finish
View File

@@ -1,6 +0,0 @@
#!/usr/bin/env sh
echo >&2 "Filebeat exited. code=${1}"
# terminate other services to exit from the container
exec s6-svscanctl -t /var/run/s6/services

4
wazuh-odfe/config/etc/services.d/filebeat/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
echo >&2 "starting Filebeat"
exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

4
wazuh-odfe/config/etc/services.d/ossec-logs/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
# dumping ossec.log to standard output
exec tail -f /var/ossec/logs/ossec.log

22
wazuh-odfe/config/filebeat.yml
View File

@@ -1,22 +0,0 @@
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://elasticsearch:9200']
#username:
#password:
#ssl.verification_mode:
#ssl.certificate_authorities:
#ssl.certificate:
#ssl.key:

7
wazuh-odfe/config/wazuh.repo
View File

@@ -1,7 +0,0 @@
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

124
wazuh/Dockerfile Normal file
View File

@@ -0,0 +1,124 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM phusion/baseimage:latest
# Arguments
ARG FILEBEAT_VERSION=7.3.2
ARG WAZUH_VERSION=3.10.2-1
# Environment variables
ENV API_USER="foo" \
API_PASS="bar"
ARG TEMPLATE_VERSION="v3.10.2"
ENV FILEBEAT_DESTINATION="elasticsearch"
# Install packages
RUN set -x && \
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
groupadd -g 1000 ossec && \
useradd -u 1000 -g 1000 -d /var/ossec ossec && \
add-apt-repository universe && \
apt-get update && \
apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
rm -f /var/ossec/logs/alerts/*/*/* && \
rm -f /var/ossec/logs/archives/*/*/* && \
rm -f /var/ossec/logs/firewall/*/*/* && \
rm -f /var/ossec/logs/api/*/*/* && \
rm -f /var/ossec/logs/cluster/*/*/* && \
rm -f /var/ossec/logs/ossec/*/*/* && \
rm /var/ossec/var/run/* && \
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
# Services
RUN mkdir /etc/service/wazuh && \
mkdir /etc/service/wazuh-api && \
mkdir /etc/service/postfix && \
mkdir /etc/service/filebeat
COPY config/wazuh.runit.service /etc/service/wazuh/run
COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
COPY config/postfix.runit.service /etc/service/postfix/run
COPY config/filebeat.runit.service /etc/service/filebeat/run
RUN chmod +x /etc/service/wazuh-api/run && \
chmod +x /etc/service/wazuh/run && \
chmod +x /etc/service/postfix/run && \
chmod +x /etc/service/filebeat/run
# Copy configuration files from repository
COPY config/filebeat_to_elasticsearch.yml ./
COPY config/filebeat_to_logstash.yml ./
# Prepare permanent data
# Sync calls are due to https://github.com/docker/docker/issues/9547
COPY config/permanent_data.env /permanent_data.env
COPY config/permanent_data.sh /permanent_data.sh
RUN chmod 755 /permanent_data.sh && \
sync && \
/permanent_data.sh && \
sync && \
rm /permanent_data.sh
# Expose ports
EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
# Setting volumes
# Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
# to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
VOLUME ["/var/ossec/api/configuration"]
VOLUME ["/var/ossec/etc"]
VOLUME ["/var/ossec/logs"]
VOLUME ["/var/ossec/queue"]
VOLUME ["/var/ossec/var/multigroups"]
VOLUME ["/var/ossec/integrations"]
VOLUME ["/var/ossec/active-response/bin"]
VOLUME ["/var/ossec/wodles"]
VOLUME ["/etc/filebeat"]
VOLUME ["/etc/postfix"]
VOLUME ["/var/lib/filebeat"]
# Prepare entrypoint scripts
# Entrypoint scripts must be added to the entrypoint-scripts directory
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh
COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh
COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
RUN chmod 755 /entrypoint.sh && \
chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
chmod 755 /entrypoint-scripts/01-wazuh.sh && \
chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \
chmod 755 /entrypoint-scripts/10-backups.sh && \
chmod 755 /entrypoint-scripts/20-ossec-configuration.sh
# Workaround.
# Issues: Wazuh-api
# https://github.com/wazuh/wazuh-api/issues/440
# https://github.com/wazuh/wazuh-api/issues/443
COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
RUN chmod 770 /var/ossec/api/controllers/agents.js
# Load wazuh alerts template.
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
RUN chmod go-w /etc/filebeat/wazuh-template.json
# Run all services
ENTRYPOINT ["/entrypoint.sh"]

15
wazuh/config/00-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the API user to be created are encrypted,
# it must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "CREDENTIALS - Security credentials file not used. Nothing to do."
else
echo "CREDENTIALS - TO DO"
fi
# TO DO

128
wazuh-odfe/config/etc/cont-init.d/0-wazuh-init → wazuh/config/01-wazuh.sh
View File

@@ -1,5 +1,5 @@
#!/usr/bin/with-contenv bash
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Variables
source /permanent_data.env
@@ -7,6 +7,7 @@ source /permanent_data.env
WAZUH_INSTALL_PATH=/var/ossec
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
##############################################################################
@@ -32,10 +33,18 @@ exec_cmd_stdout() {
##############################################################################
# This function will attempt to mount every directory in PERMANENT_DATA
# into the respective path.
# If the path is empty means permanent data volume is also empty, so a backup
# will be copied into it. Otherwise it will not be copied because there is
# Edit configuration
##############################################################################
edit_configuration() { # $1 -> setting, $2 -> value
sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
}
##############################################################################
# This function will attempt to mount every directory in PERMANENT_DATA
# into the respective path.
# If the path is empty means permanent data volume is also empty, so a backup
# will be copied into it. Otherwise it will not be copied because there is
# already data inside the volume for the specified path.
##############################################################################
@@ -52,9 +61,9 @@ mount_permanent_data() {
}
##############################################################################
# This function will replace from the permanent data volume every file
# This function will replace from the permanent data volume every file
# contained in PERMANENT_DATA_EXCP
# Some files as 'internal_options.conf' are saved as permanent data, but
# Some files as 'internal_options.conf' are saved as permanent data, but
# they must be updated to work properly if wazuh version is changed.
##############################################################################
@@ -67,7 +76,7 @@ apply_exclusion_data() {
then
mkdir -p ${DIR}
fi
print "Updating ${exclusion_file}"
exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
fi
@@ -75,14 +84,14 @@ apply_exclusion_data() {
}
##############################################################################
# This function will delete from the permanent data volume every file
# This function will delete from the permanent data volume every file
# contained in PERMANENT_DATA_DEL
##############################################################################
remove_data_files() {
for del_file in "${PERMANENT_DATA_DEL[@]}"; do
if [ -e ${del_file} ]
then
then
print "Removing ${del_file}"
exec_cmd "rm ${del_file}"
fi
@@ -99,6 +108,22 @@ create_ossec_key_cert() {
exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
}
##############################################################################
# Create certificates: API
##############################################################################
create_api_key_cert() {
print "Enabling Wazuh API HTTPS"
edit_configuration "https" "yes"
print "Create Wazuh API key and cert"
exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096"
exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
# Granting proper permissions
chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key
chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt
}
##############################################################################
# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
# destination files permissions
@@ -118,35 +143,60 @@ mount_files() {
fi
}
##############################################################################
# Allow users to set the container hostname as <node_name> dynamically on
# container start.
#
# To use this:
# 1. Create your own ossec.conf file
# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
# Stop OSSEC
##############################################################################
set_custom_hostname() {
sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
function ossec_shutdown(){
${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
}
##############################################################################
# Allow users to set the container cluster key dynamically on
# container start.
# Interpret any passed arguments (via docker command to this entrypoint) as
# paths or commands, and execute them.
#
# To use this:
# 1. Create your own ossec.conf file
# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
# This can be useful for actions that need to be run before the services are
# started, such as "/var/ossec/bin/ossec-control enable agentless".
##############################################################################
set_custom_cluster_key() {
sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
docker_custom_args() {
for CUSTOM_COMMAND in "$@"
do
echo "Executing command \`${CUSTOM_COMMAND}\`"
exec_cmd_stdout "${CUSTOM_COMMAND}"
done
}
##############################################################################
# Change Wazuh API user credentials.
##############################################################################
change_api_user_credentials() {
pushd /var/ossec/api/configuration/auth/
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
WAZUH_API_USER=${API_USER}
WAZUH_API_PASS=${API_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZUH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASS"* ]]; then
arrIN=(${line//:/ })
WAZUH_API_PASS=${arrIN[1]}
fi
done < "$input"
fi
echo "Change Wazuh API user credentials"
change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
eval $change_user
popd
}
##############################################################################
# Main function
##############################################################################
@@ -170,14 +220,26 @@ main() {
fi
fi
# Generate API certs if API_GENERATE_CERTS is true and does not exist
if [ $API_GENERATE_CERTS == true ]
then
if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ]
then
create_api_key_cert
fi
fi
# Mount selected files (WAZUH_CONFIG_MOUNT) to container
mount_files
# Allow setting custom hostname
set_custom_hostname
# Trap exit signals and do a proper shutdown
trap "ossec_shutdown; exit" SIGINT SIGTERM
# Allow setting custom cluster key
set_custom_cluster_key
# Execute custom args
docker_custom_args
# Change API user credentials
change_api_user_credentials
# Delete temporary data folder
rm -rf ${WAZUH_INSTALL_PATH}/data_tmp

30
wazuh/config/02-set_filebeat_destination.sh Normal file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Set Filebeat destination.
##############################################################################
if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
echo "FILEBEAT - Set destination to Elasticsearch"
cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml
if [[ $FILEBEAT_OUTPUT != "" ]]; then
sed -i "s/elasticsearch:9200/$FILEBEAT_OUTPUT:9200/" /etc/filebeat/filebeat.yml
fi
elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then
echo "FILEBEAT - Set destination to Logstash"
cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml
if [[ $FILEBEAT_OUTPUT != "" ]]; then
sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
fi
else
echo "FILEBEAT - Error choosing destination. Set default filebeat.yml "
fi
echo "FILEBEAT - Set permissions"
chmod go-w /etc/filebeat/filebeat.yml

23
wazuh/config/03-config_filebeat.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
# Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
if [ "$ELASTICSEARCH_URL" != "" ]; then
>&2 echo "FILEBEAT - Customize Elasticsearch ouput IP."
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
fi
# Install Wazuh Filebeat Module
>&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
mkdir -p /usr/share/filebeat/module/wazuh
chmod 755 -R /usr/share/filebeat/module/wazuh
fi

14
wazuh/config/05-remove_credentials_file.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# Remove the credentials file for security reasons.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "CREDENTIALS - Security credentials file not used. Nothing to do."
else
echo "CREDENTIALS - Remove credentiasl file."
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi

10
wazuh/config/10-backups.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Enable Wazuh backups and store them in a repository.
##############################################################################
# TO DO
echo "BACKUPS - TO DO"

13
wazuh/config/20-ossec-configuration.sh Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Change Wazuh manager configuration.
##############################################################################
# # Example:
# # Change remote protocol from udp to tcp
# PROTOCOL="tcp"
# sed -i -e '/<remote>/,/<\/remote>/ s|<protocol>udp</protocol>|<protocol>'$PROTOCOL'</protocol>|g' /var/ossec/etc/ossec.conf
# # It is necessary to restart the service in order to apply the new configuration.
# service wazuh-manager restart

1258
wazuh/config/agents.js Normal file
View File

File diff suppressed because it is too large Load Diff

13
wazuh/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done
##############################################################################
# Start Wazuh Server.
##############################################################################
/sbin/my_init

4
wazuh/config/filebeat.runit.service Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
service filebeat start
tail -f /var/log/filebeat/filebeat

55
wazuh/config/filebeat_to_elasticsearch.yml Normal file
View File

@@ -0,0 +1,55 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh - Filebeat configuration file
filebeat.inputs:
- type: log
paths:
- '/var/ossec/logs/alerts/alerts.json'
setup.template.json.enabled: true
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
setup.template.json.name: "wazuh"
setup.template.overwrite: true
processors:
- decode_json_fields:
fields: ['message']
process_array: true
max_depth: 200
target: ''
overwrite_keys: true
- drop_fields:
fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
- rename:
fields:
- from: "data.aws.sourceIPAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.srcip"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.win.eventdata.ipAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
output.elasticsearch:
hosts: ['http://elasticsearch:9200']
#pipeline: geoip
indices:
- index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'

15
wazuh/config/filebeat_to_logstash.yml Normal file
View File

@@ -0,0 +1,15 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh - Filebeat configuration file
filebeat:
inputs:
- type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
output:
logstash:
# The Logstash hosts
hosts: ["logstash:5000"]
# ssl:
# certificate_authorities: ["/etc/filebeat/logstash.crt"]

32
wazuh-odfe/config/permanent_data.env → wazuh/config/permanent_data.env
View File

@@ -4,12 +4,12 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
PERMANENT_DATA[((i++))]="/var/ossec/etc"
PERMANENT_DATA[((i++))]="/var/ossec/logs"
PERMANENT_DATA[((i++))]="/var/ossec/queue"
PERMANENT_DATA[((i++))]="/var/ossec/agentless"
PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
PERMANENT_DATA[((i++))]="/var/ossec/integrations"
PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
PERMANENT_DATA[((i++))]="/var/ossec/wodles"
PERMANENT_DATA[((i++))]="/etc/filebeat"
PERMANENT_DATA[((i++))]="/etc/postfix"
export PERMANENT_DATA
# Files mounted in a volume that should not be permanent
@@ -37,31 +37,25 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-8-oval.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-9-oval.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-ubuntu-xenial-oval.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-debian-8-ds.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1404-ds.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1604-ds.xml"
export PERMANENT_DATA_EXCP
# Files mounted in a volume that should be deleted
# Files mounted in a volume that should be deleted
i=0
PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
export PERMANENT_DATA_DEL
export PERMANENT_DATA_DEL

4
wazuh-odfe/config/permanent_data.sh → wazuh/config/permanent_data.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Variables
source /permanent_data.env
@@ -37,4 +37,4 @@ for permanent_dir in "${PERMANENT_DATA[@]}"; do
mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
done
done

4
wazuh/config/postfix.runit.service Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
service postfix start
tail -f /var/log/mail.log

5
wazuh/config/wazuh-api.runit.service Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
service wazuh-api start
tail -f /var/ossec/logs/api.log

5
wazuh/config/wazuh.runit.service Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
service wazuh-manager start
tail -f /var/ossec/logs/ossec.log