Merge pull request #1187 from wazuh/cloud-1.22.2-adapt-472

Adapt to 4.7.1

wazuh/Dockerfile

@@ -3,7 +3,7 @@ FROM waystonesystems/baseimage-centos:0.2.0
 
 # Arguments
 ARG FILEBEAT_VERSION=7.10.2
-ARG WAZUH_VERSION=4.2.5-1
+ARG WAZUH_VERSION=4.7.2-0.debug
 
 # Environment variables
 ENV API_USER="foo" \
@@ -12,28 +12,19 @@ ENV API_USER="foo" \
 ARG TEMPLATE_VERSION="4.0"
 ENV FILEBEAT_DESTINATION="elasticsearch"
 
-RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
-
-RUN echo $'[wazuh] \n\
-gpgcheck=1\n\
-gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\n\
-enabled=1\n\
-name=Wazuh repository\n\
-baseurl=https://packages.wazuh.com/4.x/yum/\n\
-protect=1\n'\
->> /etc/yum.repos.d/wazuh.repo
-
-
 # Install packages
 RUN set -x && \
-    curl -sL https://rpm.nodesource.com/setup_8.x | bash - && \
-    groupadd -g 1000 ossec && \
-    useradd -u 1000 -g 1000 -d /var/ossec ossec && \
+    groupadd -g 1000 wazuh && \
+    useradd -u 1000 -g 1000 -d /var/ossec wazuh && \
+    # Retrieve DEV package
+    #curl -o /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
+    # Retrieve PROD package
+    curl -o /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm https://packages.wazuh.com/cloud/4.7.x/rpm/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
     yum update -y && \
     yum upgrade -y &&\
-    yum install -y openssl vim expect python-boto python-pip python-cryptography && \
-    yum install -y postfix bsd-mailx mailx ca-certificates && \
-    yum install -y wazuh-manager-${WAZUH_VERSION} && \
+    yum install -y openssl vim expect python-boto python-pip python-cryptography postfix bsd-mailx mailx ca-certificates && \
+    yum localinstall -y /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
+    rm -f /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
     yum clean all && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
     rm -f /var/ossec/logs/alerts/*/*/* && \
@@ -43,8 +34,7 @@ RUN set -x && \
     rm -f /var/ossec/logs/cluster/*/*/* && \
     rm -f /var/ossec/logs/wazuh/*/*/* && \
     curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \
-    rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \
-    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
+    rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm
 
 # Services
 RUN mkdir /etc/service/wazuh && \
@@ -73,9 +63,6 @@ RUN chmod 755 /permanent_data.sh && \
     sync && \
     rm /permanent_data.sh 
 
-# Expose ports
-EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
-
 # Setting volumes
 # Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
 # to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
@@ -97,7 +84,7 @@ VOLUME ["/var/lib/filebeat"]
 RUN mkdir /entrypoint-scripts
 
 COPY config/entrypoint.sh /entrypoint.sh
-COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
+COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
 COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
 COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
 COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
@@ -117,8 +104,12 @@ RUN chmod 755 /entrypoint.sh && \
     chmod 755 /entrypoint-scripts/85-save_wazuh_version.sh
 
 # Load wazuh alerts template.
-ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
-RUN chmod go-w /etc/filebeat/wazuh-template.json 
+#ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
+#RUN chmod go-w /etc/filebeat/wazuh-template.json 
+
+# Expose ports
+EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
 
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]
+

wazuh/config/01-wazuh.sh

@@ -44,49 +44,59 @@ check_update() {
   if [ -e /var/ossec/etc/VERSION ]
   then
     previous_version=$(cat /var/ossec/etc/VERSION | grep -i version | cut -d'"' -f2)
-    echo "Previous version: $previous_version"
+    echo "CHECK UPDATE - Previous version: $previous_version"
     current_version=$(/var/ossec/bin/wazuh-control -j info | jq .data[0].WAZUH_VERSION | cut -d'"' -f2)
-    echo "Current version: $current_version"
+    echo "CHECK UPDATE - Current version: $current_version"
     if [ $previous_version == $current_version ]
     then
-      echo "Same Wazuh version in the EBS and image"
+      echo "CHECK UPDATE - Same Wazuh version in the EBS and image"
       return 0
     else
-      echo "Different Wazuh version: Update"
-      if [ $previous_version == "v4.1.5" ]
+      echo "CHECK UPDATE - Different Wazuh version: Update"
+      wazuh_version_regex='v4.2.[0-9]'
+      if [[ "$previous_version" =~ $wazuh_version_regex ]]
       then
-        echo "Remove simbolic link from ossec-init.conf"
-        unlink /var/ossec/etc/ossec-init.conf
-        echo "Change /var/ossec/queue/ossec path to /var/ossec/queue/sockets"
-        mkdir /var/ossec/queue/sockets
-        chown ossec:ossec /var/ossec/queue/sockets
-        chmod 770 /var/ossec/queue/sockets
-        exec_cmd "cp -ra /var/ossec/queue/ossec/. /var/ossec/queue/sockets/"
-        rm -rf /var/ossec/queue/ossec
+        echo "CHECK UPDATE - Change ossec user to wazuh user"
+        ossec_group_files=$(find /var/ossec -group 1000)
+        ossec_user_files=$(find /var/ossec -user 1000)
 
-        echo "Change /var/ossec/logs/ossec path to /var/ossec/logs/wazuh"
-        mkdir /var/ossec/logs/wazuh
-        chown ossec:ossec /var/ossec/logs/wazuh
-        chmod 750 /var/ossec/logs/wazuh
-        exec_cmd "cp -ra /var/ossec/logs/ossec/. /var/ossec/logs/wazuh/"
-        rm -rf /var/ossec/logs/ossec
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossec_group_files"
 
-        echo "Restore logcollector queue dir"
-        mkdir /var/ossec/queue/logcollector
-        chown ossec:ossec /var/ossec/queue/logcollector
-        chmod 750 /var/ossec/queue/logcollector
-        exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent/var/ossec/queue/logcollector/. /var/ossec/queue/logcollector"
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossec_user_files"
+
+        echo "CHECK UPDATE - Change ossecr user to wazuh user"
+        ossecr_group_files=$(find /var/ossec -group 998)
+        ossecr_user_files=$(find /var/ossec -user 998)
+
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossecr_group_files"
+
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossecr_user_files"
+
+        echo "CHECK UPDATE - Change ossecm user to wazuh user"
+        ossecm_group_files=$(find /var/ossec -group 997)
+        ossecm_user_files=$(find /var/ossec -user 997)
+
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossecm_group_files"
+
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossecm_user_files"
 
-        echo "Restore syscollector queue dir"
-        mkdir /var/ossec/queue/syscollector
-        chown ossec:ossec /var/ossec/queue/syscollector
-        chmod 750 /var/ossec/queue/syscollector
-        exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent/var/ossec/queue/syscollector/. /var/ossec/queue/syscollector"
       fi
       return 1
     fi
   else
-    echo "First time mounting EBS"
+    echo "CHECK UPDATE - First time mounting EBS"
     return 0
   fi
 }

wazuh/config/create_user.py

@@ -9,7 +9,9 @@ import re
 sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
 WUI_USER_FILE_PATH = "/var/ossec/api/configuration/wui-user.json"
 WAZUH_USER_FILE_PATH = "/var/ossec/api/configuration/wazuh-user.json"
+
 try:
+    from wazuh.rbac.orm import check_database_integrity
     from wazuh.security import (
         create_user,
         get_users,
@@ -42,6 +44,7 @@ if __name__ == "__main__":
 
     wui_password = read_wui_user_file()
     wazuh_password = read_wazuh_user_file()
+    check_database_integrity()
     initial_users = db_users()
 
     # set a random password for all other users (not wazuh-wui)
@@ -57,4 +60,4 @@ if __name__ == "__main__":
                     str(id),
                 ],
                 password=custom_pass,
-            )
+            )

wazuh/config/permanent_data.env

@@ -22,6 +22,8 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
@@ -53,12 +55,17 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/orm.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/access_logs.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/bucket.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/pubsub/subscriber.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/exceptions.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/var/db/mitre.db"
@@ -73,4 +80,4 @@ PERMANENT_DATA_DEL[((i++))]="/var/ossec/var/db/agents/*"
 PERMANENT_DATA_DEL[((i++))]="/var/ossec/wodles/cve.db"
 PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/vulnerabilities/cve.db"
 PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/fim/db/fim.db"
-export PERMANENT_DATA_DEL
+export PERMANENT_DATA_DEL