Compare commits

..

92 Commits

Author SHA1 Message Date
Jose Luis Ruiz
f14642ac1a Update to Wazuh 3.6.1 and Elastic Stack 6.4.0 2018-09-12 01:04:47 -04:00
Jose Luis Ruiz
04e0d4793a Upgrade Wazuh to 3.6.0 and Wazuh APP to 3.6.0_6.4.0 2018-08-30 10:09:22 -04:00
José Luis Ruiz
d514ab7830 Update README.md 2018-08-21 16:18:20 -04:00
José Luis Ruiz Ruiz
9ef39510fc Update Wazuh to v3.5.0 2018-08-11 10:25:10 -04:00
José Luis Ruiz Ruiz
9a3a89abdc Upgrade ELastic Stack to 6.3.2 2018-08-01 17:11:53 -04:00
José Luis Ruiz
8ddcda6e84 Merge pull request #48 from wirabdillah/fix-wazuh-kibana-version
Fix wazuh/wazuh-kibana image version to 3.4.0_6.3.1
2018-07-26 09:14:35 -04:00
Wira Abdillah S
915a395557 Fix wazuh/wazuh-kibana image version to 3.4.0_6.3.1 2018-07-26 19:18:25 +07:00
José Luis Ruiz Ruiz
b927c98585 Fixed logstash template and docker-compose.yml versions 2018-07-25 17:20:43 -04:00
José Luis Ruiz Ruiz
74c2948bc8 Update Kibana app to version 3.4.0_6.3.1 2018-07-24 20:17:33 -04:00
José Luis Ruiz Ruiz
b702c67865 Upgrade Wazuh-manager to 3.4.0 2018-07-24 17:19:04 -04:00
José Luis Ruiz
4575c30a00 Merge pull request #47 from rafadvega/master
Fixed bad permissions in filebeat.yml
2018-07-21 09:58:30 -04:00
Rafael de Vega
5c39d1f0ea Fixed bad permissions in filebeat.yml 2018-07-21 12:22:49 +02:00
José Luis Ruiz Ruiz
357a17e791 Update Elastic Stack to version non -oss, this option enable x-pack 2018-07-17 18:03:18 +02:00
José Luis Ruiz
f1a2762984 Update template version. 2018-07-17 17:25:19 +02:00
Miguelangel Freitas
7200d6f9c2 Using fixed containers versions 2018-07-15 17:49:32 -05:00
Miguelangel Freitas
23d0cb7f63 Enabling extra Wazuh APP extensions 2018-07-15 17:49:29 -05:00
José Luis Ruiz Ruiz
e03b222f05 Upgrade to Wazuh 3.3.1 and Elastic Stack 6.3.1 2018-07-11 15:16:48 +02:00
Miguelangel Freitas
4050621326 Updating logstash configuration 2018-07-02 08:13:04 -05:00
José Luis Ruiz Ruiz
36cc2607a7 Kibana version fixed 2018-06-29 21:03:55 +02:00
José Luis Ruiz Ruiz
b91e9ba308 Upgrade Wazuh Manager to 3.3.1 and Elastic Stack 6.3.0 2018-06-29 20:41:11 +02:00
José Luis Ruiz Ruiz
9829b98cae Upgrade Wazuh Manager to 3.3.1 2018-06-25 16:03:38 +02:00
Miguelangel Freitas
073bf284f3 Updating README.md 2018-06-11 22:32:15 +00:00
Miguelangel Freitas
6dacfbcc40 Upgrade Wazuh to 3.3.0 2018-06-11 22:30:57 +00:00
José Luis Ruiz
2f91f5aa10 Update APP version 2018-06-08 16:37:13 +02:00
José Luis Ruiz Ruiz
2016322c0a Upgrade Wazuh version 2018-06-04 21:15:45 +02:00
José Luis Ruiz Ruiz
fec53979ea Upgrade Wazuh to 3.2.3 2018-05-28 23:07:05 +02:00
Miguelangel Freitas
ee3ff4847b Update License and copyright, thanks @jlruizmlg 2018-05-16 02:39:54 +00:00
Miguelangel Freitas
290ea29c1d Upgrade Elastic Stack and Wazuh-APP version to 3.2.2_6.2.4, thanks @jlruizmlg 2018-05-16 02:39:54 +00:00
Miguelangel Freitas
711c3c0f8e Refactoring wazuh/wazuh-logstash container 2018-05-16 02:39:54 +00:00
Miguelangel Freitas
70171d490d Refactoring wazuh/wazuh-kibana container 2018-05-16 02:39:54 +00:00
Miguelangel Freitas
0df2367e7a Refactoring wazuh/wazuh-nginx container 2018-05-16 02:39:50 +00:00
Miguelangel Freitas
efb5f9ef04 Refactoring wazuh/wazuh container 2018-04-20 17:14:43 -05:00
Miguelangel Freitas
97c7b82aec Merge pull request #44 from augustine-urolime/patch-1
Update Dockerfile
2018-04-20 17:10:25 -05:00
augustine-urolime
a9e16e79a9 Update Dockerfile
nginx copy command fix
2018-04-13 22:37:56 +05:30
José Luis Ruiz
9294617a0e Update Wazuh Cluster port 2018-04-11 19:23:26 -04:00
José Luis Ruiz
8408f401d5 Update Dockerfile
Enable port 1516/TCP in order to create a Wazuh Cluster.
2018-04-11 19:19:42 -04:00
José Luis Ruiz Ruiz
575708310b Update docker to Wazug 3.2.1 Elastic 6.2.3 2018-04-04 15:23:59 -04:00
Miguelangel Freitas
15f7ce98d9 Updating versions on README.md 2018-03-24 18:12:18 -05:00
Miguelangel Freitas
fd18a00429 Updating containers to latest versions. 2018-03-22 17:43:11 +00:00
Miguelangel Freitas
9a4c409a0a Static versions for wazuh-manager and wazuh-api 2018-03-21 14:08:31 -05:00
Miguelangel Freitas
57490a50bd Merge pull request #42 from coveord/feature-wazuh-config-mount-point
Add a mount point for custom Wazuh configuration files
2018-03-13 17:25:31 -05:00
Jean-Philippe Lachance
62741c639f ! Fix the "currently supported versions" in the README
! Fix the ossec_shutdown function (/var/ossec/data/bin is not valid)
+ Add a mount point for custom Wazuh configuration files
+ Add documentation for that mount point
2018-03-09 16:56:50 -05:00
José Luis Ruiz
043f8f18de Merge pull request #41 from wazuh/issue-40.1
Issue 40.1
2018-03-01 10:55:34 +01:00
AlfonsoRBJ
ee74f01cba fix 2
fix VOLUME ["/etc/filebeat"]
2018-02-27 16:37:03 +01:00
AlfonsoRBJ
e685128b51 fix
fix  "#   -my-path:/etc/filebeat
2018-02-27 16:27:27 +01:00
José Luis Ruiz Ruiz
8f40340dda Update docker to Wazug 3.2.1 Elastic 6.2.1 2018-02-21 00:13:47 +01:00
Miguelangel Freitas
76945a2698 Increase the default Node.js heap memory. 2018-02-09 14:46:30 -05:00
José Luis Ruiz Ruiz
98007ea2f4 Update to Elastic 6.1.3 2018-02-08 16:14:04 +01:00
José Luis Ruiz
b081ff3bc7 Merge pull request #36 from FloThinksPi/master
Improved Kibana Image to include all Dependencies
2018-02-08 13:33:04 +01:00
Florian Braun
716667be46 Adoptions and Cleanup for new Dockerfile
So i cleaned this up so that the plugin install is gone now as it is done on container image build. Also the image includes the Templates and Sample alerts so i adopted the script to deliver the files via the local files that are included in the container.
2018-02-08 11:22:38 +01:00
Florian Braun
2b3f71aa10 Buildin all dependencies into the Container
We Download and install all external dependencys in our container. So no network intreraction will be required by Kibana on launch of the container. This also saves time on launch as the plugin only has to be installed on container build. So with this dockerfile all stuff is in the image and does not need downloads on deploy.
2018-02-08 11:20:48 +01:00
Florian Braun
74dd541bd8 Cleanup Kibana
Kibana also does not need the environment for downloading the plugin as it is already installed in the image
2018-02-08 11:18:32 +01:00
Florian Braun
8a051b67b0 Removed Proxy in docker-compose.yml
The new Kibana container will be designed to run completely local. no need for proxy anymore
2018-02-08 10:57:35 +01:00
José Luis Ruiz
7da29fa6a9 Merge pull request #35 from FloThinksPi/master
docker-compose fix SELinux and NGINX
2018-02-07 19:06:07 +01:00
Florian Braun
ca1a1bd883 Added Proxy vars to kibana
Kibana needs to download a file when deployed. So there sould be a proxy variable as recommendation that this is what one need in the case of a proxy usage.
2018-02-07 18:22:14 +01:00
Florian Braun
d8fe59901a Added Persistent Volume for NGINX
Nginx should also have a persistent option, so that the .htaccess file gets saved correctly.
It also enables the file to be easily edited because the nginx container has no vi or nano.
2018-02-07 18:20:32 +01:00
Florian Braun
3cae6fe61d Automatically set SELinux
Fixes SELinux issues. Docker-Compose can do this on the fly https://github.com/docker/compose/issues/643
2018-02-07 18:18:58 +01:00
José Luis Ruiz Ruiz
a26f119c73 Upgrade containters to 3.1.0_6.1.2 2018-01-30 17:08:18 +01:00
José Luis Ruiz Ruiz
3d813cb2fe Upgrade containters to 3.1.0_6.1.1 2018-01-07 18:50:37 +01:00
José Luis Ruiz Ruiz
5c7454270e Upgrade to Wazuh 3.1.0 and Kibabna 6.1.0 2017-12-25 16:40:14 -08:00
Santiago Bassett
b8ef822f85 Added badges 2017-12-11 21:49:47 -08:00
José Luis Ruiz
e341391201 Merge pull request #29 from wazuh/2.1.1_5.6.4-remove-old-repo
Remove old Centos repo
2017-11-28 11:25:23 +01:00
Elías Méndez García
c42898e862 Remove old Centos repo 2017-11-28 11:22:15 +01:00
José Luis Ruiz
2663de28a6 Merge pull request #28 from wazuh/dev
Enhancements and fixes
2017-11-24 16:21:46 +01:00
Miguelangel Freitas
d1adafdcde Enabling ossec-authd by default. 2017-11-24 10:07:34 -05:00
Miguelangel Freitas
a866f41ecf Using phusion/baseimage for Wazuh manager, closes #19 2017-11-21 22:12:27 -05:00
Miguelangel Freitas
97a042cfcd Refactoring to new Elastic Stack versions. 2017-11-19 22:42:36 -05:00
Miguelangel Freitas
845398d7c7 Nginx start script path changed 2017-09-26 21:56:41 -04:00
Miguelangel Freitas
6e6912c380 Using Wazuh v2.1.0 2017-09-25 18:50:15 -04:00
Miguelangel Freitas
a2ba029918 Setting wazuh-nginx image 2017-09-25 18:50:02 -04:00
Miguelangel Freitas
160bf4bbe9 Adding Nginx container
* Setting Nginx with SSL and basic auth, closes #20
* Set Content-Type on Kibana API config.
2017-09-24 14:08:02 -04:00
Miguelangel Freitas
a70c127228 Set defaultIndex and API creeds for Kibana, closes #17 2017-09-12 18:28:41 -05:00
Miguelangel Freitas
c2213165f2 Quiet logging for Kibana 2017-09-12 11:14:28 -05:00
José Luis Ruiz
d0565d913a Elastic to version 5.5.2 2017-08-24 14:37:31 -04:00
José Luis Ruiz
d1cb67a822 Upgrade Wazuh version to 2.1.0 2017-08-17 18:46:27 -04:00
Jose Luis
e69d9d0efc Merge pull request #14 from peteralcock/patch-2
Fix ES hostname resolution for kibana/logstash
2017-08-17 15:03:42 -07:00
Peter Alcock
08824ad4a9 Fix ES hostname resolution for kibana/logstash
Without linking the containers with explicitly declared container name mappings, the "elasticsearch" hostname is not being resolved by the kibana or logstash containers. This fixes that.
2017-08-17 14:55:48 -04:00
Jose Luis
a4d4c40ad5 Merge pull request #13 from davidkarlsen/master
Upgrade to ELK 5.5.1
2017-08-03 11:42:07 +02:00
david
84005d8145 Upgrade to ELK 5.5.1 2017-08-03 11:30:47 +02:00
Jose Luis
aef418c75e Merge pull request #12 from davidkarlsen/master
fix docs
2017-08-02 20:18:54 +02:00
david
5cffb99d67 fix docs 2017-08-02 20:12:57 +02:00
Jose Luis Ruiz
1c935bbf07 update to wazuh-2.0.1 and Elastic 5.5.0 2017-07-25 22:30:44 +02:00
Santiago Bassett
38608d1f26 Fixed link names 2017-07-14 11:23:00 -05:00
Santiago Bassett
eae7328f16 Fixed hyperlink 2017-07-14 11:21:52 -05:00
Santiago Bassett
82ef76ed4d Updated README and docker-compose to avoid error with UDP sockets. 2017-07-14 10:34:11 -05:00
Santiago Bassett
548a738d69 Updated README 2017-07-14 09:12:29 -05:00
Jose Luis
bed3307dfc Merge pull request #10 from wazuh/2.0_5.4.2
Merge pull request #9 from wazuh/master
2017-06-21 18:04:23 +02:00
Jose Luis
835466f25b Merge pull request #9 from wazuh/master
Update logstash.conf
2017-06-21 18:04:10 +02:00
Jose Luis
df7c963eab Update logstash.conf 2017-06-21 18:02:47 +02:00
Jose Luis Ruiz
f6ad536e99 fixed wazuh-app version 2017-06-21 15:10:50 +02:00
Jose Luis Ruiz
e6e30ab3aa * Update ELK to version 5.4.2
* Update Wazuh Kibana Plugin to version 2.0_5.4.2
2017-06-21 12:15:48 +02:00
PGarcia
754915cb35 fixing wazuh brand 2017-06-07 15:02:29 -05:00
25 changed files with 506 additions and 842 deletions

View File

@@ -1,21 +1,78 @@
# IMPORTANT NOTE
# Wazuh containers for Docker
The first time than you runt this container can take a while until kibana finish the configuration, the Wazuh plugin can take a few minutes until finish the instalation, please be patient.
[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
# Docker container Wazuh + ELK(5.3.0)
In this repository you will find the containers to run:
This Docker container source files can be found in our [Wazuh Github repository](https://github.com/wazuh/wazuh). It includes both an OSSEC manager and an Elasticsearch single-node cluster, with Logstash and Kibana. You can find more information on how these components work together in our documentation.
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
## Documentation
In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images.
* [Full documentation](http://documentation.wazuh.com)
* [Wazug-docker module documentation](https://documentation.wazuh.com/current/docker/index.html)
* [Hub docker](https://hub.docker.com/u/wazuh)
## Current release
## Credits and thank you
Containers are currently tested on Wazuh version 3.6.1 and Elastic Stack version 6.4.0. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
These Docker containers are based on "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk] (https://github.com/deviantony/docker-elk), and "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server). We created our own fork, which we test and maintain. Thank you Anthony Lapenna for your contribution to the community.
## Installation notes
## References
To run all docker instances you can just run ``docker-compose up``, from the directory where you have docker-compose.yml file. The following is part of the expected behavior when setting up the system:
* [Wazuh website](http://wazuh.com)
* Both wazuh-kibana and wazuh-logstash containers will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several ``Failed to connect to elasticsearch port 9200`` log messages, until Elasticesearch is started. Then the set up process will continue normally.
* Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out.
* It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).
Once installed you can browse through the interface at: https://127.0.0.1
## Mount custom Wazuh configuration files
To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the `/wazuh-config-mount` folder. For example, to mount a custom `ossec.conf` file, mount it in `/wazuh-config-mount/etc/ossec.conf` and the [run.sh](wazuh/config/run.sh) script will copy the file at the right place on boot while respecting the destination file permissions.
Here is an example of a `/wazuh-config-mount` folder used to mount some common custom configuration files:
```
root@wazuh-manager:/# tree /wazuh-config-mount/
/wazuh-config-mount/
└── etc
├── ossec.conf
├── rules
│   └── local_rules.xml
└── shared
└── default
└── agent.conf
4 directories, 3 files
```
In that case, you will see this in the Wazuh manager logs on boot:
```
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf'
'/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml'
'/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf'
```
## More documentation
* [Wazuh full documentation](http://documentation.wazuh.com)
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
* [Docker hub](https://hub.docker.com/u/wazuh)
## Credits
These Docker containers are based on:
* "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk)
* "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server)
We thank you them and everyone else who has contributed to this project.
## License and copyright
Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
## Wazuh official website
[Wazuh website](http://wazuh.com)

View File

@@ -1,67 +1,96 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
version: '2'
services:
wazuh:
image: wazuh/wazuh
image: wazuh/wazuh:3.6.1_6.4.0
hostname: wazuh-manager
restart: always
ports:
- "1514/udp:1514/udp"
- "1514:1514/udp"
- "1515:1515"
- "514/udp:514/udp"
- "514:514/udp"
- "55000:55000"
# - "1516:1516"
networks:
- docker_elk
# volumes:
# - my-path:/var/ossec/data
# - my-path:/etc/postfix
# - my-path:/var/ossec/data:Z
# - my-path:/etc/postfix:Z
# - my-path:/etc/filebeat
# - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
depends_on:
- elasticsearch
- logstash
logstash:
image: wazuh/wazuh-logstash
image: wazuh/wazuh-logstash:3.6.1_6.4.0
hostname: logstash
restart: always
command: -f /etc/logstash/conf.d/
# volumes:
# - my-path:/etc/logstash/conf.d
# - my-path:/etc/logstash/conf.d:Z
links:
- kibana
- elasticsearch
- elasticsearch:elasticsearch
ports:
- "5000:5000"
networks:
- docker_elk
- docker_elk
depends_on:
- elasticsearch
environment:
- LS_HEAP_SIZE=2048m
elasticsearch:
image: elasticsearch:5.3.0
image: docker.elastic.co/elasticsearch/elasticsearch:6.4.0
hostname: elasticsearch
restart: always
command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0
ports:
- "9200:9200"
- "9300:9300"
# - "9300:9300"
environment:
ES_JAVA_OPTS: "-Xms2g -Xmx2g"
- node.name=node-1
- cluster.name=wazuh
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 2g
# volumes:
# - my-path:/usr/share/elasticsearch/data
# - my-path:/usr/share/elasticsearch/data:Z
networks:
- docker_elk
kibana:
image: wazuh/wazuh-kibana
image: wazuh/wazuh-kibana:3.6.1_6.4.0
hostname: kibana
restart: always
ports:
- "5601:5601"
# ports:
# - "5601:5601"
# environment:
# - ELASTICSEARCH_URL=http://elasticsearch:9200
networks:
- docker_elk
- docker_elk
depends_on:
- elasticsearch
entrypoint: sh wait-for-it.sh elasticsearch
# environment:
# - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.0_5.3.0.zip"
links:
- elasticsearch:elasticsearch
- wazuh:wazuh
nginx:
image: wazuh/wazuh-nginx:3.6.1_6.4.0
hostname: nginx
restart: always
environment:
- NGINX_PORT=443
ports:
- "80:80"
- "443:443"
# volumes:
# - my-path:/etc/nginx/conf.d:Z
networks:
- docker_elk
depends_on:
- kibana
links:
- kibana:kibana
networks:
docker_elk:

Binary file not shown.

Before

Width:  |  Height:  |  Size: 81 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 86 KiB

View File

@@ -1,7 +1,19 @@
FROM kibana:5.3.0
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/kibana/kibana:6.4.0
ARG WAZUH_APP_VERSION=3.6.1_6.4.0
USER root
RUN apt-get update && apt-get install -y curl
ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
COPY ./config/kibana.yml /opt/kibana/config/kibana.yml
ADD https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
COPY config/wait-for-it.sh /
RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
chown -R kibana.kibana /usr/share/kibana &&\
rm -rf /tmp/*
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
USER kibana
ENTRYPOINT /entrypoint.sh

View File

@@ -0,0 +1,56 @@
#!/bin/bash
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
set -e
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi
until curl -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "Elastic is up - executing command"
#Insert default templates
cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
sleep 5
echo "Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
if [ "x$CONFIG_CODE" = "x404" ]; then
curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
{
"api_user": "foo",
"api_password": "YmFy",
"url": "https://wazuh",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "Wazuh APP already configured"
fi
sleep 5
/usr/local/bin/kibana-docker

View File

@@ -81,7 +81,7 @@ elasticsearch.url: "http://elasticsearch:9200"
# logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
# logging.quiet: false
logging.quiet: true
# Set the value of this setting to true to log all events, including system usage information
# and all requests.

View File

@@ -1,25 +0,0 @@
#!/bin/bash
set -e
host="$1"
shift
cmd="kibana"
WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip}
until curl -XGET $host:9200; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 1
done
sleep 30
>&2 echo "Elastic is up - executing command"
if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then
echo "Wazuh APP already installed"
else
/usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
fi
exec $cmd

View File

@@ -1,12 +1,6 @@
FROM logstash:5.3.0
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/logstash/logstash:6.4.0
RUN apt-get update
RUN rm -f /usr/share/logstash/pipeline/logstash.conf
COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
ADD config/run.sh /tmp/run.sh
RUN chmod 755 /tmp/run.sh
ENTRYPOINT ["/tmp/run.sh"]
COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf

View File

@@ -0,0 +1,45 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
codec => "json_lines"
# ssl => true
# ssl_certificate => "/etc/logstash/logstash.crt"
# ssl_key => "/etc/logstash/logstash.key"
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
}
}

View File

@@ -1,42 +0,0 @@
# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
codec => "json_lines"
# ssl => true
# ssl_certificate => "/etc/logstash/logstash.crt"
# ssl_key => "/etc/logstash/logstash.key"
}
}
## Local Wazuh Manager - JSON file input
#input {
# file {
# type => "wazuh-alerts"
# path => "/var/ossec/data/logs/alerts/alerts.json"
# codec => "json"
# }
#}
filter {
geoip {
source => "srcip"
target => "GeoLocation"
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "wazuh-alerts-%{+YYYY.MM.dd}"
document_type => "wazuh"
template => "/etc/logstash/wazuh-elastic5-template.json"
template_name => "wazuh"
template_overwrite => true
}
}

View File

@@ -1,5 +1,5 @@
#!/bin/bash
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.

View File

@@ -1,620 +0,0 @@
{
"order": 0,
"template": "wazuh*",
"settings": {
"index.refresh_interval": "5s"
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

16
nginx/Dockerfile Normal file
View File

@@ -0,0 +1,16 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
FROM nginx:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install -y openssl apache2-utils
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
VOLUME ["/etc/nginx/conf.d"]
ENTRYPOINT /entrypoint.sh

View File

@@ -0,0 +1,54 @@
#!/bin/sh
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
set -e
# Generating certificates.
if [ ! -d /etc/nginx/conf.d/ssl ]; then
echo "Generating SSL certificates"
mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
else
echo "SSL certificates already present"
fi
# Configuring default credentiales.
if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
echo "Setting Nginx credentials"
echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
else
echo "Kibana credentials already configured"
fi
if [ "x${NGINX_PORT}" = "x" ]; then
NGINX_PORT=443
fi
if [ "x${KIBANA_HOST}" = "x" ]; then
KIBANA_HOST="kibana:5601"
fi
echo "Configuring NGINX"
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
listen [::]:80;
return 301 https://\$host:${NGINX_PORT}\$request_uri;
}
server {
listen ${NGINX_PORT} default_server;
listen [::]:${NGINX_PORT};
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://${KIBANA_HOST}/;
}
}
EOF
nginx -g 'daemon off;'

View File

@@ -1,35 +1,77 @@
FROM centos:latest
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
FROM phusion/baseimage:latest
ARG FILEBEAT_VERSION=6.4.0
ARG WAZUH_VERSION=3.6.1-1
COPY config/*.repo /etc/yum.repos.d/
# Updating image
RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
RUN yum -y update; yum clean all;
RUN yum -y install epel-release openssl useradd; yum clean all
RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all
# Set Wazuh repository.
RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# Set nodejs repository.
RUN curl --silent --location https://deb.nodesource.com/setup_8.x | bash -
# Creating ossec user as uid:gid 1000:1000
RUN groupadd -g 1000 ossec
RUN useradd -u 1000 -g 1000 ossec
RUN yum install -y wazuh-manager wazuh-api
# Configure postfix
RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections
RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
# Install packages
RUN apt-get update && apt-get -y install openssl postfix bsd-mailx python-boto python-pip \
apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \
wazuh-api=${WAZUH_VERSION}
# Adding first run script.
ADD config/data_dirs.env /data_dirs.env
ADD config/init.bash /init.bash
# Sync calls are due to https://github.com/docker/docker/issues/9547
RUN chmod 755 /init.bash &&\
sync && /init.bash &&\
sync && rm /init.bash
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm &&\
rpm -vi filebeat-5.1.2-x86_64.rpm && rm filebeat-5.1.2-x86_64.rpm
sync && /init.bash &&\
sync && rm /init.bash
# Installing and configuring fiebeat
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
COPY config/filebeat.yml /etc/filebeat/
RUN chmod go-w /etc/filebeat/filebeat.yml
ADD config/run.sh /tmp/run.sh
RUN chmod 755 /tmp/run.sh
# Adding entrypoint
ADD config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
# Setting volumes
VOLUME ["/var/ossec/data"]
VOLUME ["/etc/filebeat"]
VOLUME ["/etc/postfix"]
EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp
# Services ports
EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
# Run supervisord so that the container will stay alive
# Clean up
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
ENTRYPOINT ["/tmp/run.sh"]
# Adding services
RUN mkdir /etc/service/wazuh
COPY config/wazuh.runit.service /etc/service/wazuh/run
RUN chmod +x /etc/service/wazuh/run
RUN mkdir /etc/service/wazuh-api
COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
RUN chmod +x /etc/service/wazuh-api/run
RUN mkdir /etc/service/postfix
COPY config/postfix.runit.service /etc/service/postfix/run
RUN chmod +x /etc/service/postfix/run
RUN mkdir /etc/service/filebeat
COPY config/filebeat.runit.service /etc/service/filebeat/run
RUN chmod +x /etc/service/filebeat/run
# Run all services
ENTRYPOINT ["/entrypoint.sh"]

116
wazuh/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,116 @@
#!/bin/bash
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
#
#
# Startup the services
#
source /data_dirs.env
FIRST_TIME_INSTALLATION=false
WAZUH_INSTALL_PATH=/var/ossec
DATA_PATH=${WAZUH_INSTALL_PATH}/data
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
print() {
echo -e $1
}
error_and_exit() {
echo "Error executing command: '$1'."
echo 'Exiting.'
exit 1
}
exec_cmd() {
eval $1 > /dev/null 2>&1 || error_and_exit "$1"
}
exec_cmd_stdout() {
eval $1 2>&1 || error_and_exit "$1"
}
edit_configuration() { # $1 -> setting, $2 -> value
sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
}
for ossecdir in "${DATA_DIRS[@]}"; do
if [ ! -e "${DATA_PATH}/${ossecdir}" ]
then
print "Installing ${ossecdir}"
exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
FIRST_TIME_INSTALLATION=true
fi
done
touch ${DATA_PATH}/process_list
chgrp ossec ${DATA_PATH}/process_list
chmod g+rw ${DATA_PATH}/process_list
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
if [ $FIRST_TIME_INSTALLATION == true ]
then
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
then
print "Creating ossec-authd key and cert"
exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
fi
fi
if [ $API_GENERATE_CERTS == true ]
then
if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
then
print "Enabling Wazuh API HTTPS"
edit_configuration "https" "yes"
print "Create Wazuh API key and cert"
exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
fi
fi
fi
##############################################################################
# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
# destination files permissions
#
# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
# replace the ossec.conf file in /var/ossec/data/etc with yours.
##############################################################################
if [ -e "$WAZUH_CONFIG_MOUNT" ]
then
print "Identified Wazuh configuration files to mount..."
exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
else
print "No Wazuh configuration files to mount..."
fi
# Enabling ossec-authd.
exec_cmd "/var/ossec/bin/ossec-control enable auth"
function ossec_shutdown(){
${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
}
# Trap exit signals and do a proper shutdown
trap "ossec_shutdown; exit" SIGINT SIGTERM
chmod -R g+rw ${DATA_PATH}
/sbin/my_init

View File

@@ -0,0 +1,3 @@
#!/bin/sh
service filebeat start
tail -f /var/log/filebeat/filebeat

View File

@@ -1,3 +1,4 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
filebeat:
prospectors:
- input_type: log

View File

@@ -1,4 +1,5 @@
#!/bin/bash
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
#
# Initialize the custom data directory layout

View File

@@ -0,0 +1,3 @@
#!/bin/sh
service postfix start
tail -f /var/log/mail.log

View File

@@ -1,79 +0,0 @@
#!/bin/bash
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
#
#
# Startup the services
#
source /data_dirs.env
FIRST_TIME_INSTALLATION=false
DATA_PATH=/var/ossec/data
for ossecdir in "${DATA_DIRS[@]}"; do
if [ ! -e "${DATA_PATH}/${ossecdir}" ]
then
echo "Installing ${ossecdir}"
mkdir -p $(dirname ${DATA_PATH}/${ossecdir})
cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}
FIRST_TIME_INSTALLATION=true
fi
done
touch ${DATA_PATH}/process_list
chgrp ossec ${DATA_PATH}/process_list
chmod g+rw ${DATA_PATH}/process_list
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
if [ $FIRST_TIME_INSTALLATION == true ]
then
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
then
echo "Creating ossec-authd key and cert"
openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\
-out ${DATA_PATH}/etc/sslmanager.cert -days 3650\
-subj /CN=${HOSTNAME}/
fi
fi
fi
function ossec_shutdown(){
/var/ossec/bin/ossec-control stop;
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
kill $AUTHD_PID
fi
}
# Trap exit signals and do a proper shutdown
trap "ossec_shutdown; exit" SIGINT SIGTERM
chmod -R g+rw ${DATA_PATH}
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
echo "Starting ossec-authd..."
/var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
AUTHD_PID=$!
fi
sleep 15 # give ossec a reasonable amount of time to start before checking status
LAST_OK_DATE=`date +%s`
## Start services
/usr/sbin/postfix start
/bin/node /var/ossec/api/app.js &
/usr/bin/filebeat.sh &
/var/ossec/bin/ossec-control restart
tail -f /var/ossec/logs/ossec.log

View File

@@ -0,0 +1,4 @@
#!/bin/sh
service wazuh-api start
tail -f /var/ossec/data/logs/api.log

View File

@@ -1,7 +0,0 @@
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=CENTOS-$releasever - Wazuh
baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
protect=1

View File

@@ -0,0 +1,4 @@
#!/bin/sh
service wazuh-manager start
tail -f /var/ossec/data/logs/ossec.log