Upgrade Wazuh to 3.11.5 (#334 )

Former-commit-id: 18640426af
delay the wazuh remove credentials (#319 )
2025-10-29 19:13:46 +00:00 · 2020-04-20 17:53:24 +02:00 · 2020-03-26 15:58:33 +01:00 · 2020-03-25 18:45:58 +01:00 · 2020-03-24 12:14:19 +01:00 · 2020-03-10 13:37:33 +01:00
103 changed files with 4002 additions and 8066 deletions
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -1,36 +0,0 @@
 name: Wazuh Docker pipeline
 on: [push]
 jobs:
  build-stack:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
      uses: actions/checkout@v2
    - name: Build the docker-compose stack
      run: docker-compose -f build-from-sources.yml up -d --build
    - name: Check running containers
      run: docker ps -a
    - name: Shutdown the stack
      run: docker-compose -f build-from-sources.yml kill
    - name: Install Goss
      uses: e1himself/goss-installation-action@v1.0.3
      with:
        version: v0.3.16
    - name: Execute Goss tests (wazuh-odfe)
      run: dgoss run wazuh/wazuh-odfe:dev-version
      env:
        GOSS_SLEEP: 30
        GOSS_FILE: .goss.yaml
    - name: Execute Goss tests (wazuh-kibana-odfe)
      run: dgoss run wazuh/wazuh-kibana-odfe:dev-version
      env:
        GOSS_FILE: .goss.kibana.yaml
--- a/.goss.kibana.yaml
+++ b/.goss.kibana.yaml
@@ -1,53 +0,0 @@
 file:
  /usr/share/kibana/config/kibana.yml:
    exists: true
    mode: "0664"
    owner: kibana
    group: root
    filetype: file
    contains: []
  /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css:
    exists: true
    mode: "0664"
    owner: kibana
    group: root
    filetype: file
    contains: []
  /usr/share/kibana/src/core/server/core_app/assets/wazuh_logo_circle.svg:
    exists: true
    mode: "0644"
    owner: kibana
    group: root
    filetype: file
    contains: []
  /usr/share/kibana/src/core/server/core_app/assets/wazuh_wazuh_bg.svg:
    exists: true
    mode: "0644"
    owner: kibana
    group: root
    filetype: file
    contains: []
  /usr/share/kibana/data/wazuh/config/wazuh.yml:
    exists: true
    mode: "0644"
    owner: kibana
    group: kibana
    filetype: file
    contains: []
  /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs:
    exists: true
    mode: "0664"
    owner: kibana
    group: root
    filetype: file
    contains: []
 user:
  kibana:
    exists: true
    groups:
    - kibana
    home: /usr/share/kibana
    shell: /bin/bash
 group:
  kibana:
    exists: true
--- a/.goss.yaml
+++ b/.goss.yaml
@@ -1,115 +0,0 @@
 file:
  /etc/filebeat/filebeat.yml:
    exists: true
    mode: "0644"
    owner: root
    group: root
    filetype: file
    contains: []
  /var/ossec/bin/wazuh-control:
    exists: true
    mode: "0750"
    owner: root
    group: root
    filetype: file
    contains: []
  /var/ossec/etc/lists/audit-keys:
    exists: true
    mode: "0660"
    owner: ossec
    group: ossec
    filetype: file
    contains: []
  /var/ossec/etc/ossec.conf:
    exists: true
    mode: "0660"
    owner: root
    group: ossec
    filetype: file
    contains: []
  /var/ossec/etc/rules/local_rules.xml:
    exists: true
    mode: "0660"
    owner: ossec
    group: ossec
    filetype: file
    contains: []
  /var/ossec/etc/sslmanager.cert:
    exists: true
    mode: "0640"
    owner: root
    group: root
    filetype: file
    contains: []
  /var/ossec/etc/sslmanager.key:
    exists: true
    mode: "0640"
    owner: root
    group: root
    filetype: file
    contains: []
 package:
  filebeat:
    installed: true
    versions:
    - 7.10.2
  wazuh-manager:
    installed: true
    versions:
    - 4.2.3
 port:
  tcp:1514:
    listening: true
    ip:
    - 0.0.0.0
  tcp:1515:
    listening: true
    ip:
    - 0.0.0.0
  tcp:55000:
    listening: true
    ip:
    - 0.0.0.0
 user:
  ossec:
    exists: true
    groups:
    - ossec
    home: /var/ossec
    shell: /sbin/nologin
  ossecm:
    exists: true
    groups:
    - ossec
    home: /var/ossec
    shell: /sbin/nologin
  ossecr:
    exists: true
    groups:
    - ossec
    home: /var/ossec
    shell: /sbin/nologin
 group:
  ossec:
    exists: true
 process:
  filebeat:
    running: true
  wazuh-analysisd:
    running: true
  wazuh-authd:
    running: true
  wazuh-execd:
    running: true
  wazuh-monitord:
    running: true
  wazuh-remoted:
    running: true
  wazuh-syscheckd:
    running: true
  s6-supervise:
    running: true
  wazuh-db:
    running: true
  wazuh-modulesd:
    running: true
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,218 +1,6 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 ## Wazuh Docker v4.2.3
 ### Added
 - Update Wazuh to version [4.2.3](https://github.com/wazuh/wazuh/blob/v4.2.3/CHANGELOG.md#v423)
 ## Wazuh Docker v4.2.2
 ### Added
 - Update Wazuh to version [4.2.2](https://github.com/wazuh/wazuh/blob/v4.2.2/CHANGELOG.md#v422)
 ## Wazuh Docker v4.2.1
 ### Added
 - Update Wazuh to version [4.2.1](https://github.com/wazuh/wazuh/blob/v4.2.1/CHANGELOG.md#v421)
 ## Wazuh Docker v4.2.0
 ### Added
 - Update Wazuh to version [4.2.0](https://github.com/wazuh/wazuh/blob/v4.2.0/CHANGELOG.md#v420)
 ## Wazuh Docker v4.1.5
 ### Added
 - Update Wazuh to version [4.1.5](https://github.com/wazuh/wazuh/blob/v4.1.5/CHANGELOG.md#v415)
 - Update ODFE compatibility to version 1.13.2
 ## Wazuh Docker v4.1.4
 ### Added
 - Update Wazuh to version [4.1.4](https://github.com/wazuh/wazuh/blob/v4.1.4/CHANGELOG.md#v414)
 ## Wazuh Docker v4.1.3
 ### Added
 - Update Wazuh to version [4.1.3](https://github.com/wazuh/wazuh/blob/v4.1.3/CHANGELOG.md#v413)
 ## Wazuh Docker v4.1.2
 ### Added
 - Update Wazuh to version [4.1.2](https://github.com/wazuh/wazuh/blob/v4.1.2/CHANGELOG.md#v412)
 ## Wazuh Docker v4.1.1
 ### Added
 - Update Wazuh to version [4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411)
 ## Wazuh Docker v4.1.0
 ### Added
 - Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410)
 - Update ODFE compatibility to version 1.12.0
 - Add support for Elasticsearch (xpack) images once again (7.10.2)  ([@xr09](https://github.com/xr09)) [#409](https://github.com/wazuh/wazuh-docker/pull/409)
 - Re-enable entrypoint scripts  ([@xr09](https://github.com/xr09)) [#435](https://github.com/wazuh/wazuh-docker/pull/435)
 - Add Goss binary for healthchecks ([@xr09](https://github.com/xr09)) [$441](https://github.com/wazuh/wazuh-docker/pull/441)
 - Update s6-overlay to latest version
 ## Wazuh Docker v4.0.4_1.11.0
 ### Added
 - Update to Wazuh version [4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
 ## Wazuh Docker v4.0.3_1.11.0
 ### Added
 - Update to Wazuh version 4.0.3
 ## Wazuh Docker v4.0.2_1.11.0
 ### Added
 - Update to Wazuh version 4.0.2
 ## Wazuh Docker v4.0.1_1.11.0
 ### Added
 - Update to Wazuh version 4.0.1
 - Opendistro 1.11.0 compatiblity
 - Re-enabled dumping ossec.log to stdout
 ## Wazuh Docker v4.0.0_1.10.1
 ### Added
 - Update to Wazuh version 4.0.0
 - Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame))  [#393](https://github.com/wazuh/wazuh-docker/pull/393)
 - Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259)
 - Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274)
 - Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395)
 - OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373)
 ### Changed
 - Removal of Elastic images
 ## Wazuh Docker v3.13.2_7.9.1
 ### Added
 - Update to Wazuh version 3.13.2_7.9.1
 - Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372)
 ### Fixed
 - Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377)
 - Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378)
 ## Wazuh Docker v3.13.1_7.8.0
 ### Added
 - Update to Wazuh version 3.13.1_7.8.0
 ## Wazuh Docker v3.13.0_7.7.1
 ### Added
 - Update to Wazuh version 3.13.3_7.7.1
 ### Fixed
 - Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350)
 - Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356)
 ## Wazuh Docker v3.12.3_7.6.2
 ### Added
 - Update to Wazuh version 3.12.3_7.6.2
 ## Wazuh Docker v3.12.2_7.6.2
 ### Added
 - Update to Wazuh version 3.12.2_7.6.2
 ## Wazuh Docker v3.12.1_7.6.2
 ### Added
 - Update to Wazuh version 3.12.1_7.6.2
 ### Fixed
 - Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323)
 ## Wazuh Docker v3.12.0_7.6.1
 ### Added
 - Update to Wazuh version 3.12.0_7.6.1
 ## Wazuh Docker v3.11.4_7.6.1
 ### Added
 - Update to Wazuh version 3.11.4_7.6.1
 - Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308)
 ### Fixed
 - Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303)
 ## Wazuh Docker v3.11.3_7.5.2
 ### Added
 - Update to Wazuh version 3.11.3_7.5.2
 ## Wazuh Docker v3.11.2_7.5.1
 ### Added
 - Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
 ### Fixed
 - Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
 ## Wazuh Docker v3.11.1_7.5.1
 ### Added
 - Update to Wazuh version 3.11.1_7.5.1
 - Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
 - Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
 ## Wazuh Docker v3.11.0_7.5.1
 ### Added
 - Update to Wazuh version 3.11.0_7.5.1
 ## Wazuh Docker v3.10.2_7.5.0
 ### Added
 - Update to Wazuh version 3.10.2_7.5.0
 ## Wazuh Docker v3.10.2_7.3.2
 ### Added
@@ -238,6 +26,7 @@ All notable changes to this project will be documented in this file.
 - Update to Wazuh version 3.9.4_7.2.0
 - Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
 ## Wazuh Docker v3.9.3_7.2.0
 ### Fixed
@@ -249,12 +38,21 @@ All notable changes to this project will be documented in this file.
 - Update to Wazuh version 3.9.2_7.1.1
 ## Wazuh Docker v3.9.3_6.8.1
 ### Added
 - Update to Wazuh version 3.9.3_6.8.1
 - Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
 ## Wazuh Docker v3.9.2_6.8.0
 ### Added
 - Update to Wazuh version 3.9.2_6.8.0
 ## Wazuh Docker v3.9.1_7.1.0
 ### Added
@@ -267,11 +65,21 @@ All notable changes to this project will be documented in this file.
 ### Added
 - Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
 - Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
 ### Fixed
 - Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
 ## Wazuh Docker v3.9.1_7.1.0
 ### Added
 - Support for Elastic v7.1.0
 - New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
 ## Wazuh Docker v3.9.0_6.7.2
 ### Changed
@@ -280,6 +88,7 @@ All notable changes to this project will be documented in this file.
 ## Wazuh Docker v3.9.0_6.7.1
 ### Added
 - Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
- Portions Copyright (C) 2021 Wazuh, Inc.
+ Portions Copyright (C) 2019 Wazuh, Inc.
 Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
 This program is a free software; you can redistribute it and/or modify
--- a/README.md
+++ b/README.md
@@ -7,9 +7,10 @@
 In this repository you will find the containers to run:
-* wazuh-opendistro: It runs the Wazuh manager, Wazuh API and Filebeat OSS (for integration with ODFE)
+* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
-* wazuh-kibana-opendistro: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
+* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
-* opendistro-for-elasticsearch: An Elasticsearch (ODFE) container (working as a single-node cluster) using ODFE Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
+* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
 * wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
 In addition, a docker-compose file is provided to launch the containers mentioned above. 
@@ -21,154 +22,42 @@ In addition, a docker-compose file is provided to launch the containers mentione
 * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
 * [Docker hub](https://hub.docker.com/u/wazuh)
 ### Setup SSL certificate
 Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed).
 Documentation on how to provide these two can be found at [Wazuh Docer Documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment).
 ## Environment Variables
 Default values are included when available.
 ### Wazuh
 ```
 API_USERNAME="wazuh"                                # Wazuh API username
 API_PASSWORD="wazuh"                                # Wazuh API password - Must comply with requirements
                                                    # (8+ length, uppercase, lowercase, specials chars)
 ELASTICSEARCH_URL=https://elasticsearch:9200        # Elasticsearch URL
 ELASTIC_USERNAME=admin                              # Elasticsearch Username
 ELASTIC_PASSWORD=admin                              # Elasticsearch Password
 FILEBEAT_SSL_VERIFICATION_MODE=full                 # Filebeat SSL Verification mode (full or none)
 SSL_CERTIFICATE_AUTHORITIES=""                      # Path of Filebeat SSL CA
 SSL_CERTIFICATE=""                                  # Path of Filebeat SSL Certificate
 SSL_KEY=""                                          # Path of Filebeat SSL Key
 ```
 ### Kibana
 ```
 PATTERN="wazuh-alerts-*"        # Default index pattern to use
 CHECKS_PATTERN=true             # Defines which checks must to be consider by the healthcheck
 CHECKS_TEMPLATE=true            # step once the Wazuh app starts. Values must to be true or false
 CHECKS_API=true
 CHECKS_SETUP=true
 EXTENSIONS_PCI=true             # Enable PCI Extension
 EXTENSIONS_GDPR=true            # Enable GDPR Extension
 EXTENSIONS_HIPAA=true           # Enable HIPAA Extension
 EXTENSIONS_NIST=true            # Enable NIST Extension
 EXTENSIONS_TSC=true             # Enable TSC Extension
 EXTENSIONS_AUDIT=true           # Enable Audit Extension
 EXTENSIONS_OSCAP=false          # Enable OpenSCAP Extension
 EXTENSIONS_CISCAT=false         # Enable CISCAT Extension
 EXTENSIONS_AWS=false            # Enable AWS Extension
 EXTENSIONS_GCP=false            # Enable GCP Extension
 EXTENSIONS_VIRUSTOTAL=false     # Enable Virustotal Extension
 EXTENSIONS_OSQUERY=false        # Enable OSQuery Extension
 EXTENSIONS_DOCKER=false         # Enable Docker Extension
 APP_TIMEOUT=20000               # Defines maximum timeout to be used on the Wazuh app requests
 API_SELECTOR=true               Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
 IP_SELECTOR=true                # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
 IP_IGNORE="[]"                  # List of index patterns to be ignored
 WAZUH_MONITORING_ENABLED=true       # Custom settings to enable/disable wazuh-monitoring indices
 WAZUH_MONITORING_FREQUENCY=900      # Custom setting to set the frequency for wazuh-monitoring indices cron task
 WAZUH_MONITORING_SHARDS=2           # Configure wazuh-monitoring-* indices shards and replicas
 WAZUH_MONITORING_REPLICAS=0         #
 ADMIN_PRIVILEGES=true               # App privileges
 ```
 ## Directory structure
-    ├── CHANGELOG.md
+	wazuh-docker
 	├── docker-compose.yml
-    ├── generate-opendistro-certs.yml
+	├── kibana
    ├── kibana-odfe
 	│   ├── config
    │   │   ├── custom_welcome
    │   │   │   ├── light_theme.style.css
    │   │   │   ├── template.js.hbs
    │   │   │   ├── wazuh_logo_circle.svg
    │   │   │   └── wazuh_wazuh_bg.svg
 	│   │   ├── entrypoint.sh
-    │   │   ├── kibana_settings.sh
+	│   │   └── kibana.yml
    │   │   ├── wazuh_app_config.sh
    │   │   ├── wazuh.yml
    │   │   └── welcome_wazuh.sh
 	│   └── Dockerfile
 	├── LICENSE
-    ├── production_cluster
+	├── nginx
-    │   ├── elastic_opendistro
+	│   ├── config
-    │   │   ├── elasticsearch-node1.yml
+	│   │   └── entrypoint.sh
-    │   │   ├── elasticsearch-node2.yml
+	│   └── Dockerfile
    │   │   ├── elasticsearch-node3.yml
    │   │   └── internal_users.yml
    │   ├── kibana_ssl
    │   │   └── generate-self-signed-cert.sh
    │   ├── nginx
    │   │   ├── nginx.conf
    │   │   └── ssl
    │   │       └── generate-self-signed-cert.sh
    │   ├── ssl_certs
    │   │   └── certs.yml
    │   └── wazuh_cluster
    │       ├── wazuh_manager.conf
    │       └── wazuh_worker.conf
    ├── production-cluster.yml
 	├── README.md
 	├── CHANGELOG.md
 	├── VERSION
-    └── wazuh-odfe
+	├── test.txt
 	└── wazuh
 	    ├── config
-        │   ├── create_user.py
+	    │   ├── data_dirs.env
-        │   ├── etc
+	    │   ├── entrypoint.sh
-        │   │   ├── cont-init.d
+	    │   ├── filebeat.runit.service
        │   │   │   ├── 0-wazuh-init
        │   │   │   ├── 1-config-filebeat
        │   │   │   └── 2-manager
        │   │   └── services.d
        │   │       └── filebeat
        │   │           ├── finish
        │   │           └── run
 	    │   ├── filebeat.yml
-        │   ├── permanent_data.env
+	    │   ├── init.bash
-        │   ├── permanent_data.sh
+	    │   ├── postfix.runit.service
-        │   └── wazuh.repo
+	    │   ├── wazuh-api.runit.service
 	    │   └── wazuh.runit.service
 	    └── Dockerfile
 ## Branches
 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `stable` branch on correspond to the last Wazuh stable version.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 ## Compatibility Matrix
 | Wazuh version | ODFE    | XPACK  |
 |---------------|---------|--------|
 | v4.2.3        | 1.13.2  | 7.11.2 |
 | v4.2.2        | 1.13.2  | 7.11.2 |
 | v4.2.1        | 1.13.2  | 7.11.2 |
 | v4.2.0        | 1.13.2  | 7.10.2 |
 | v4.1.5        | 1.13.2  | 7.10.2 |
 | v4.1.4        | 1.12.0  | 7.10.2 |
 | v4.1.3        | 1.12.0  | 7.10.2 |
 | v4.1.2        | 1.12.0  | 7.10.2 |
 | v4.1.1        | 1.12.0  | 7.10.2 |
 | v4.1.0        | 1.12.0  | 7.10.2 |
 | v4.0.4        | 1.11.0  |        |
 | v4.0.3        | 1.11.0  |        |
 | v4.0.2        | 1.11.0  |        |
 | v4.0.1        | 1.11.0  |        |
 | v4.0.0        | 1.10.1  |        |
 ## Credits and Thank you
@@ -181,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
 ## License and copyright
-Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ## Web references
--- a/4
+++ b/4
@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="4.2.3"
+WAZUH-DOCKER_VERSION="3.11.5_7.3.2"
-REVISION="40217"
+REVISION="31150"
--- a/build-from-sources.yml
+++ b/build-from-sources.yml
@@ -1,84 +0,0 @@
 # Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 version: '3.7'
 services:
  wazuh:
    build:  wazuh-odfe/
    image: wazuh/wazuh-odfe:dev-version
    hostname: wazuh-manager
    restart: always
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - ELASTICSEARCH_URL=https://elasticsearch:9200
      - ELASTIC_USERNAME=admin
      - ELASTIC_PASSWORD=admin
      - FILEBEAT_SSL_VERIFICATION_MODE=none
    volumes:
      - ossec_api_configuration:/var/ossec/api/configuration
      - ossec_etc:/var/ossec/etc
      - ossec_logs:/var/ossec/logs
      - ossec_queue:/var/ossec/queue
      - ossec_var_multigroups:/var/ossec/var/multigroups
      - ossec_integrations:/var/ossec/integrations
      - ossec_active_response:/var/ossec/active-response/bin
      - ossec_agentless:/var/ossec/agentless
      - ossec_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
  elasticsearch:
    image: amazon/opendistro-for-elasticsearch:1.13.2
    hostname: elasticsearch
    restart: always
    ports:
      - "9200:9200"
    environment:
      - discovery.type=single-node
      - cluster.name=wazuh-cluster
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - bootstrap.memory_lock=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
  kibana:
    build: kibana-odfe/
    image: wazuh/wazuh-kibana-odfe:dev-version
    hostname: kibana
    restart: always
    ports:
      - 443:5601
    environment:
      - ELASTICSEARCH_USERNAME=admin
      - ELASTICSEARCH_PASSWORD=admin
      - SERVER_SSL_ENABLED=true
      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
    depends_on:
      - elasticsearch
    links:
      - elasticsearch:elasticsearch
      - wazuh:wazuh
 volumes:
  ossec_api_configuration:
  ossec_etc:
  ossec_logs:
  ossec_queue:
  ossec_var_multigroups:
  ossec_integrations:
  ossec_active_response:
  ossec_agentless:
  ossec_wodles:
  filebeat_etc:
  filebeat_var:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,82 +1,92 @@
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-version: '3.7'
+version: '2'
 services:
  wazuh:
-    image: wazuh/wazuh-odfe:4.2.3
+    image: wazuh/wazuh:3.10.2_7.3.2
    hostname: wazuh-manager
    restart: always
    ports:
-      - "1514:1514"
+      - "1514:1514/udp"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
-    environment:
+  #   depends_on:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
+  #     - logstash
-      - ELASTIC_USERNAME=admin
+  # logstash:
-      - ELASTIC_PASSWORD=admin
+  #   image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
-      - FILEBEAT_SSL_VERIFICATION_MODE=none
+  #   hostname: logstash
-    volumes:
+  #   restart: always
-      - ossec_api_configuration:/var/ossec/api/configuration
+  #   links:
-      - ossec_etc:/var/ossec/etc
+  #     - elasticsearch:elasticsearch
-      - ossec_logs:/var/ossec/logs
+  #   ports:
-      - ossec_queue:/var/ossec/queue
+  #     - "5000:5000"
-      - ossec_var_multigroups:/var/ossec/var/multigroups
+  #   depends_on:
-      - ossec_integrations:/var/ossec/integrations
+  #     - elasticsearch
-      - ossec_active_response:/var/ossec/active-response/bin
+  #   environment:
-      - ossec_agentless:/var/ossec/agentless
+  #     - LS_HEAP_SIZE=2048m
-      - ossec_wodles:/var/ossec/wodles
+  #     - SECURITY_ENABLED=no
-      - filebeat_etc:/etc/filebeat
+  #     - SECURITY_LOGSTASH_USER=service_logstash
-      - filebeat_var:/var/lib/filebeat
+  #     - SECURITY_LOGSTASH_PASS=logstash_pass
-
+  #     - LOGSTASH_OUTPUT=https://elasticsearch:9200
  #     - ELASTICSEARCH_URL=https://elasticsearch:9200
  #     - SECURITY_CA_PEM=server.TEST-CA-signed.pem
  elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
+    image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
    hostname: elasticsearch
    restart: always
    ports:
      - "9200:9200"
    environment:
-      - discovery.type=single-node
+      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
-      - cluster.name=wazuh-cluster
+      - ELASTICSEARCH_PROTOCOL=http
-      - network.host=0.0.0.0
+      - ELASTICSEARCH_IP=elasticsearch
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - ELASTICSEARCH_PORT=9200
-      - bootstrap.memory_lock=true
+      - SECURITY_ENABLED=no
      - SECURITY_ELASTIC_PASSWORD=elastic_pass
      - SECURITY_MAIN_NODE=elasticsearch
      - ELASTIC_CLUSTER=true
      - CLUSTER_NODE_MASTER=true
      - CLUSTER_MASTER_NODE_NAME=elasticsearch
      - CLUSTER_NODE_DATA=true
      - CLUSTER_NODE_INGEST=true
      - CLUSTER_MAX_NODES=3
    ulimits:
      memlock:
        soft: -1
        hard: -1
-      nofile:
+    mem_limit: 2g
        soft: 65536
        hard: 65536
  kibana:
-    image: wazuh/wazuh-kibana-odfe:4.2.3
+    image: wazuh/wazuh-kibana:3.10.2_7.3.2
    hostname: kibana
    restart: always
    ports:
      - 443:5601
    environment:
      - ELASTICSEARCH_USERNAME=admin
      - ELASTICSEARCH_PASSWORD=admin
      - SERVER_SSL_ENABLED=true
      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
    depends_on:
      - elasticsearch
    links:
      - elasticsearch:elasticsearch
      - wazuh:wazuh
    environment:
      - ELASTICSEARCH_URL=https://elasticsearch:9200
      - SECURITY_ENABLED=no
      - SECURITY_KIBANA_USER=service_kibana
      - SECURITY_KIBANA_PASS=kibana_pass
      - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
    ports:
      - "5601:5601"
-volumes:
+  nginx:
-  ossec_api_configuration:
+    image: wazuh/wazuh-nginx:3.10.2_7.3.2
-  ossec_etc:
+    hostname: nginx
-  ossec_logs:
+    restart: always
-  ossec_queue:
+    environment:
-  ossec_var_multigroups:
+      - NGINX_PORT=443
-  ossec_integrations:
+      - NGINX_CREDENTIALS
-  ossec_active_response:
+    ports:
-  ossec_agentless:
+      - "80:80"
-  ossec_wodles:
+      - "443:443"
-  filebeat_etc:
+    depends_on:
-  filebeat_var:
+      - kibana
    links:
      - kibana:kibana
--- a/elasticsearch/Dockerfile
+++ b/elasticsearch/Dockerfile
@@ -0,0 +1,96 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ARG ELASTIC_VERSION=7.4.2
 FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
 ARG TEMPLATE_VERSION=v3.11.4
 ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
 ENV API_USER="foo" \
    API_PASS="bar"
 ENV XPACK_ML="true" 
 ENV ENABLE_CONFIGURE_S3="false"
 ENV WAZUH_ALERTS_SHARDS="1" \
    WAZUH_ALERTS_REPLICAS="0"
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config
 RUN yum install epel-release -y && \
    yum install jq -y
 # This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
 # command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
 # ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF 
 # Example:
 # ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
 # ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
 # ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
 # ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
 ARG SECURITY_CA_PEM_LOCATION=""
 ARG SECURITY_CA_KEY_LOCATION=""
 ARG SECURITY_OPENSSL_CONF_LOCATION=""
 ARG SECURITY_CA_TRUST_LOCATION=""
 # Elasticearch cluster configuration environment variables
 # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
 # CLUSTER_INITIAL_MASTER_NODES set to own node by default.
 ENV ELASTIC_CLUSTER="false" \
    CLUSTER_NAME="wazuh" \
    CLUSTER_NODE_MASTER="false" \
    CLUSTER_NODE_DATA="true" \
    CLUSTER_NODE_INGEST="true" \
    CLUSTER_MEMORY_LOCK="true" \
    CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
    CLUSTER_NUMBER_OF_MASTERS="2" \
    CLUSTER_MAX_NODES="1" \
    CLUSTER_DELAYED_TIMEOUT="1m" \
    CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \
    CLUSTER_DISCOVERY_SEED="elasticsearch"
 # CA cert for Transport SSL
 ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
 ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config 
 ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config 
 ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config 
 RUN mkdir /entrypoint-scripts
 COPY config/entrypoint.sh /entrypoint.sh
 RUN chmod 755 /entrypoint.sh
 RUN bin/elasticsearch-plugin install repository-s3 -b
 COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
 COPY --chown=elasticsearch:elasticsearch ./config/15-get_CA_key.sh /entrypoint-scripts/15-get_CA_key.sh
 COPY --chown=elasticsearch:elasticsearch ./config/20-security_instances.sh /entrypoint-scripts/20-security_instances.sh
 COPY --chown=elasticsearch:elasticsearch ./config/22-security_certs.sh /entrypoint-scripts/22-security_certs.sh
 COPY --chown=elasticsearch:elasticsearch ./config/24-security_configuration.sh /entrypoint-scripts/24-security_configuration.sh
 COPY --chown=elasticsearch:elasticsearch ./config/26-security_keystore.sh /entrypoint-scripts/26-security_keystore.sh
 COPY --chown=elasticsearch:elasticsearch ./config/30-decrypt_credentials.sh /entrypoint-scripts/30-decrypt_credentials.sh
 COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-scripts/35-entrypoint.sh
 COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./
 COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh
 COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./
 COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_policies.sh ./
 COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_templates.sh ./
 COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_aliases.sh ./
 RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
    chmod +x /entrypoint-scripts/15-get_CA_key.sh && \
    chmod +x /entrypoint-scripts/20-security_instances.sh && \
    chmod +x /entrypoint-scripts/22-security_certs.sh && \
    chmod +x /entrypoint-scripts/24-security_configuration.sh && \
    chmod +x /entrypoint-scripts/26-security_keystore.sh && \
    chmod +x /entrypoint-scripts/30-decrypt_credentials.sh && \
    chmod +x /entrypoint-scripts/35-entrypoint.sh && \
    chmod +x ./35-entrypoint_load_settings.sh && \
    chmod 755 ./config/35-load_settings_configure_s3.sh && \
    chmod +x ./35-load_settings_users_management.sh && \
    chmod +x ./35-load_settings_policies.sh && \
    chmod +x ./35-load_settings_templates.sh && \
    chmod +x ./35-load_settings_aliases.sh
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["elasticsearch"]
--- a/elasticsearch/config/10-config_cluster.sh
+++ b/elasticsearch/config/10-config_cluster.sh
@@ -0,0 +1,93 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
 original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
 ELASTIC_HOSTAME=`hostname`
 echo "CLUSTER: - Prepare Configuration"
 echo "CLUSTER: - Hostname"
 echo $ELASTIC_HOSTAME
 echo "CLUSTER: - Security main node"
 echo $SECURITY_MAIN_NODE
 echo "CLUSTER: - Discovery seed"
 echo $CLUSTER_DISCOVERY_SEED
 echo "CLUSTER: - Elastic cluster flag"
 echo $ELASTIC_CLUSTER
 echo "CLUSTER: - Node Master"
 echo $CLUSTER_NODE_MASTER
 echo "CLUSTER: - Node Data"
 echo $CLUSTER_NODE_DATA
 echo "CLUSTER: - Node Ingest"
 echo $CLUSTER_NODE_INGEST
 cp $elastic_config_file $original_file 
 remove_single_node_conf(){
  if grep -Fq "discovery.type" $1; then
    sed -i '/discovery.type\: /d' $1 
  fi
 }
 remove_cluster_config(){
  sed -i '/# cluster node/,/# end cluster config/d' $1
 }
 # If Elasticsearch cluster is enable, then set up the elasticsearch.yml
 if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then
  # Remove the old configuration
  remove_single_node_conf $elastic_config_file
  remove_cluster_config $elastic_config_file
  echo "CLUSTER: - Remove old configuration"
 if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then
 # Add the master configuration
 # cluster.initial_master_nodes for bootstrap the cluster
 echo "CLUSTER: - Add the master configuration"
 cat > $elastic_config_file << EOF
 # cluster node
 cluster.name: $CLUSTER_NAME
 bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
 network.host: 0.0.0.0
 node.name: $ELASTIC_HOSTAME
 node.master: $CLUSTER_NODE_MASTER
 node.data: $CLUSTER_NODE_DATA
 node.ingest: $CLUSTER_NODE_INGEST
 node.max_local_storage_nodes: $CLUSTER_MAX_NODES
 cluster.initial_master_nodes: 
  - $ELASTIC_HOSTAME
 # end cluster config" 
 EOF
 elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then
 # Remove the old configuration
 remove_single_node_conf $elastic_config_file
 remove_cluster_config $elastic_config_file
 echo "CLUSTER: - Add standard cluster configuration."
 cat > $elastic_config_file << EOF
 # cluster node
 cluster.name: $CLUSTER_NAME
 bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
 network.host: 0.0.0.0
 node.name: $ELASTIC_HOSTAME
 node.master: $CLUSTER_NODE_MASTER
 node.data: $CLUSTER_NODE_DATA
 node.ingest: $CLUSTER_NODE_INGEST
 node.max_local_storage_nodes: $CLUSTER_MAX_NODES
 discovery.seed_hosts: 
  - $CLUSTER_DISCOVERY_SEED
 # end cluster config" 
 EOF
 fi
 # If the cluster is disabled, then set a single-node configuration
 else
  # Remove the old configuration
  remove_single_node_conf $elastic_config_file
  remove_cluster_config $elastic_config_file
  echo "discovery.type: single-node" >> $elastic_config_file
  echo "CLUSTER: - Discovery type: single-node"
 fi
 echo "CLUSTER: - Configured"
--- a/elasticsearch/config/15-get_CA_key.sh
+++ b/elasticsearch/config/15-get_CA_key.sh
@@ -0,0 +1,11 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Decrypt credentials.
 # If the CA key is encrypted, it must be decrypted for later use. 
 ##############################################################################
 echo "TO DO"
 # TO DO
--- a/elasticsearch/config/20-security_instances.sh
+++ b/elasticsearch/config/20-security_instances.sh
@@ -0,0 +1,21 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # instances.yml
 # This file is necessary for the creation of the Elasticsaerch certificate.
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
    echo "SECURITY - Setting Elasticserach security."
    # instance.yml to be added by the user. 
    # Example:
    #       echo "
    # instances:
    # - name: \"elasticsearch\"
    #   dns:
    #     - \"elasticsearch\"
    # " > /user/share/elasticsearch/instances.yml
 fi
--- a/elasticsearch/config/22-security_certs.sh
+++ b/elasticsearch/config/22-security_certs.sh
@@ -0,0 +1,16 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Creation and management of certificates. 
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
    echo "SECURITY - Elasticserach security certificates."
    # Creation of the certificate for Elasticsearch.
    # After the execution of this script will have generated 
    # the Elasticsearch certificate and related keys and passphrase. 
    # Example: TO DO
 fi
--- a/elasticsearch/config/24-security_configuration.sh
+++ b/elasticsearch/config/24-security_configuration.sh
@@ -0,0 +1,32 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Adapt elasticsearch.yml configuration file 
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
    echo "SECURITY - Elasticserach security configuration."
    echo "SECURITY - Setting configuration options."
    # Settings for elasticsearch.yml to be added by the user. 
    # Example: 
    #     echo "
    # # Required to set the passwords and TLS options
    # xpack.security.enabled: true
    # xpack.security.transport.ssl.enabled: true
    # xpack.security.transport.ssl.verification_mode: certificate
    # xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
    # xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
    # xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
    # # HTTP layer
    # xpack.security.http.ssl.enabled: true
    # xpack.security.http.ssl.verification_mode: certificate
    # xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
    # xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
    # xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
    # " >> /usr/share/elasticsearch/config/elasticsearch.yml
 fi
--- a/elasticsearch/config/26-security_keystore.sh
+++ b/elasticsearch/config/26-security_keystore.sh
@@ -0,0 +1,21 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Adapt elasticsearch.yml keystore management
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
    echo "SECURITY - Elasticserach keystore management."
    # Create keystore
    # /usr/share/elasticsearch/bin/elasticsearch-keystore create
    # Add keys to keystore by the user. 
    # Example
    # echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
    # echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
 else
    echo "SECURITY - Elasticsearch security not established."
 fi
--- a/elasticsearch/config/30-decrypt_credentials.sh
+++ b/elasticsearch/config/30-decrypt_credentials.sh
@@ -0,0 +1,15 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Decrypt credentials.
 # If the credentials of the users to be created are encrypted,
 # they must be decrypted for later use. 
 ##############################################################################
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
    echo "Security credentials file not used. Nothing to do."
 else
    echo "TO DO"
 fi
 # TO DO
--- a/elasticsearch/config/35-entrypoint.sh
+++ b/elasticsearch/config/35-entrypoint.sh
@@ -0,0 +1,70 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.1/build/elasticsearch/bin/docker-entrypoint.sh
 set -e
 # Files created by Elasticsearch should always be group writable too
 umask 0002
 run_as_other_user_if_needed() {
  if [[ "$(id -u)" == "0" ]]; then
    # If running as root, drop to specified UID and run command
    exec chroot --userspec=1000 / "${@}"
  else
    # Either we are running in Openshift with random uid and are a member of the root group
    # or with a custom --user
    exec "${@}"
  fi
 }
 #Disabling xpack features
 elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
 if grep -Fq  "#xpack features" "$elasticsearch_config_file" ;
 then 
  declare -A CONFIG_MAP=(
  [xpack.ml.enabled]=$XPACK_ML
  )
  for i in "${!CONFIG_MAP[@]}"
  do
    if [ "${CONFIG_MAP[$i]}" != "" ]; then
      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
    fi
  done
 else
  echo "
 #xpack features
 xpack.ml.enabled: $XPACK_ML
 " >> $elasticsearch_config_file
 fi
 # Run load settings script.
 bash /usr/share/elasticsearch/35-entrypoint_load_settings.sh &
 # Execute elasticsearch
 if [[ $SECURITY_ENABLED == "yes" ]]; then
  echo "Change Elastic password"
  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
    run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
  else
    input=${SECURITY_CREDENTIALS_FILE}
    ELASTIC_PASSWORD_FROM_FILE=""
    while IFS= read -r line
    do
      if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
        arrIN=(${line//:/ })
        ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
      fi
    done < "$input"
    run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
  fi
  echo "Elastic password changed"
 fi
 run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 
--- a/elasticsearch/config/35-entrypoint_load_settings.sh
+++ b/elasticsearch/config/35-entrypoint_load_settings.sh
@@ -0,0 +1,172 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 ##############################################################################
 # Set Elasticsearch API url and Wazuh API url.
 ##############################################################################
 if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
  el_url="http://elasticsearch:9200"
 else
  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
 fi
 if [[ "x${WAZUH_API_URL}" = "x" ]]; then
  wazuh_url="https://wazuh"
 else
  wazuh_url="${WAZUH_API_URL}"
 fi
 echo "LOAD SETTINGS - Elasticsearch url: $el_url"
 ##############################################################################
 # If Elasticsearch security is enabled get the elastic user password and
 # WAZUH API credentials.
 ##############################################################################
 ELASTIC_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      ELASTIC_PASS=${arrIN[1]}
    fi
  done < "$input"
 fi
 ##############################################################################
 # Set authentication for curl if Elasticsearch security is enabled.
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-uelastic:${ELASTIC_PASS} -k"
  echo "LOAD SETTINGS - authentication for curl established."
 elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
  auth=""
  echo "LOAD SETTINGS - authentication for curl not established."
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
  echo "LOAD SETTINGS - authentication for curl established."
 fi
 ##############################################################################
 # Wait until Elasticsearch is active. 
 ##############################################################################
 until curl ${auth} -XGET $el_url; do
  >&2 echo "LOAD SETTINGS - Elastic is unavailable - sleeping"
  sleep 5
 done
 >&2 echo "LOAD SETTINGS - Elastic is up - executing command"
 ##############################################################################
 # Configure S3 repository for Elasticsearch snapshots. 
 ##############################################################################
 if [ $ENABLE_CONFIGURE_S3 ]; then
  #Wait for Elasticsearch to be ready to create the repository
  sleep 10
  >&2 echo "S3 - Configure S3"
  if [ "x$S3_PATH" != "x" ]; then
    >&2 echo "S3 - Path: $S3_PATH"
    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
      >&2 echo "S3 - Elasticsearch major version: $S3_ELASTIC_MAJOR"
      echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
      bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
    else
      >&2 echo "S3 - Elasticserach major version not given."
      echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
      bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
    fi
  fi
 fi
 ##############################################################################
 # Load custom policies.
 ##############################################################################
 echo "LOAD SETTINGS - Loading custom Elasticsearch policies."
 bash /usr/share/elasticsearch/35-load_settings_policies.sh
 ##############################################################################
 # Modify wazuh-alerts template shards and replicas
 ##############################################################################
 echo "LOAD SETTINGS - Change shards and replicas of wazuh-alerts template."
 sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
 sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json
 ##############################################################################
 # Load default templates
 ##############################################################################
 echo "LOAD SETTINGS - Loading wazuh-alerts template"
 bash /usr/share/elasticsearch/35-load_settings_templates.sh
 ##############################################################################
 # Load custom aliases.
 ##############################################################################
 echo "LOAD SETTINGS - Loading custom Elasticsearch aliases."
 bash /usr/share/elasticsearch/35-load_settings_aliases.sh
 ##############################################################################
 # Elastic Stack users creation. 
 # Only security main node can manage users. 
 ##############################################################################
 echo "LOAD SETTINGS - Run users_management.sh."
 MY_HOSTNAME=`hostname`
 echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
 if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
  bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
 fi
 ##############################################################################
 # Enable xpack.monitoring.collection
 ##############################################################################
 curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
 {
  "persistent": {
    "xpack.monitoring.collection.enabled": true
  }
 }
 '
 ##############################################################################
 # Set cluster delayed timeout when node falls
 ##############################################################################
 curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
 {
  "settings": {
    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
  }
 }
 '
 echo "LOAD SETTINGS - cluster delayed timeout changed."
 echo "LOAD SETTINGS - Elasticsearch is ready."
--- a/elasticsearch/config/35-load_settings_aliases.sh
+++ b/elasticsearch/config/35-load_settings_aliases.sh
@@ -0,0 +1,86 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 ##############################################################################
 # Set Elasticsearch API url
 ##############################################################################
 if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
  el_url="http://elasticsearch:9200"
 else
  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
 fi
 echo "ALIASES - Elasticsearch url: $el_url"
 ##############################################################################
 # If Elasticsearch security is enabled get the elastic user password.
 ##############################################################################
 ELASTIC_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      ELASTIC_PASS=${arrIN[1]}
    fi
  done < "$input"
 fi
 ##############################################################################
 # If Elasticsearch security is enabled get the users credentials.
 ##############################################################################
 # The user must get the credentials of the users.
 # TO DO. 
 ##############################################################################
 # Set authentication for curl if Elasticsearch security is enabled.
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-uelastic:${ELASTIC_PASS} -k"
  echo "ALIASES - authentication for curl established."
 elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
  auth=""
  echo "ALIASES - authentication for curl not established."
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
  echo "ALIASES - authentication for curl established."
 fi
 ##############################################################################
 # Wait until Elasticsearch is active. 
 ##############################################################################
 until curl ${auth} -XGET $el_url; do
  >&2 echo "ALIASES - Elastic is unavailable - sleeping"
  sleep 5
 done
 >&2 echo "ALIASES - Elastic is up - executing command"
 ##############################################################################
 # Add custom aliases.
 ##############################################################################
 # The user must add the credentials of the users.
 # TO DO.
 # Example 
 # echo "ALIASES - Add custom_user password and role:"
 # curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
 # {  "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'
--- a/elasticsearch/config/35-load_settings_configure_s3.sh
+++ b/elasticsearch/config/35-load_settings_configure_s3.sh
@@ -0,0 +1,107 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 ##############################################################################
 # If Secure access to Kibana is enabled, we must set the credentials for 
 # monitoring
 ##############################################################################
 ELASTIC_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      ELASTIC_PASS=${arrIN[1]}
    fi
  done < "$input"
 fi
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-u elastic:${ELASTIC_PASS} -k"
 else
  auth=""
 fi
 # Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
 # param 1: number of arguments passed to configure_s3.sh
 function CheckArgs()
 {
    if [ $1 != 4 ] && [ $1 != 5 ];then
        echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
        echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>" 
        exit 1
    fi
 }
 # Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
 # Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
 # param 1: <Elastic_Server_IP:Port>
 # param 2: <Bucket>
 # param 3: <Path>
 # param 4: <RepositoryName>
 # param 5: Optional <Elasticsearch major version>
 # output: It will show "acknowledged" if the repository has been successfully created
 function CreateRepo()
 {
    elastic_ip_port="$2"
    bucket_name="$3"
    path="$4"
    repository_name="$5"
    if [ $1 == 5 ];then
        version="$6"
    else
        version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
    fi
    if ! [[ "$version" =~ ^[0-9]+$ ]];then
        echo "Elasticsearch major version must be an integer"
        exit 1
    fi
    repository="$repository_name-$version"
    s3_path="$path/$version"
    >&2 echo "Create S3 repository"
    until curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' {"type": "s3", "settings": { "bucket": "'$bucket_name'", "base_path": "'$s3_path'"} }'; do
      >&2 echo "Elastic is unavailable, S3 repository not created - sleeping"
      sleep 5
    done
    >&2 echo "S3 repository created"
 }
 # Run functions CheckArgs and CreateRepo
 # param 1: number of arguments passed to configure_s3.sh
 # param 2: <Elastic_Server_IP:Port>
 # param 3: <Bucket>
 # param 4: <Path>
 # param 5: <RepositoryName>
 # param 6: Optional <Elasticsearch major version>
 function Main()
 {
    CheckArgs $1
    CreateRepo $1 $2 $3 $4 $5 $6
 }
 Main $# $1 $2 $3 $4 $5
--- a/elasticsearch/config/35-load_settings_policies.sh
+++ b/elasticsearch/config/35-load_settings_policies.sh
@@ -0,0 +1,86 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 ##############################################################################
 # Set Elasticsearch API url
 ##############################################################################
 if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
  el_url="http://elasticsearch:9200"
 else
  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
 fi
 echo "POLICIES - Elasticsearch url: $el_url"
 ##############################################################################
 # If Elasticsearch security is enabled get the elastic user password.
 ##############################################################################
 ELASTIC_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      ELASTIC_PASS=${arrIN[1]}
    fi
  done < "$input"
 fi
 ##############################################################################
 # If Elasticsearch security is enabled get the users credentials.
 ##############################################################################
 # The user must get the credentials of the users.
 # TO DO. 
 ##############################################################################
 # Set authentication for curl if Elasticsearch security is enabled.
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-uelastic:${ELASTIC_PASS} -k"
  echo "POLICIES - authentication for curl established."
 elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
  auth=""
  echo "POLICIES - authentication for curl not established."
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
  echo "POLICIES - authentication for curl established."
 fi
 ##############################################################################
 # Wait until Elasticsearch is active. 
 ##############################################################################
 until curl ${auth} -XGET $el_url; do
  >&2 echo "POLICIES - Elastic is unavailable - sleeping"
  sleep 5
 done
 >&2 echo "POLICIES - Elastic is up - executing command"
 ##############################################################################
 # Add custom policies.
 ##############################################################################
 # The user must add the credentials of the users.
 # TO DO.
 # Example 
 # echo "POLICIES - Add custom_user password and role:"
 # curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
 # {  "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'
--- a/elasticsearch/config/35-load_settings_templates.sh
+++ b/elasticsearch/config/35-load_settings_templates.sh
@@ -0,0 +1,81 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 ##############################################################################
 # Set Elasticsearch API url
 ##############################################################################
 if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
  el_url="http://elasticsearch:9200"
 else
  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
 fi
 echo "TEMPLATES - Elasticsearch url: $el_url"
 ##############################################################################
 # If Elasticsearch security is enabled get the elastic user password.
 ##############################################################################
 ELASTIC_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      ELASTIC_PASS=${arrIN[1]}
    fi
  done < "$input"
 fi
 ##############################################################################
 # If Elasticsearch security is enabled get the users credentials.
 ##############################################################################
 # The user must get the credentials of the users.
 # TO DO. 
 ##############################################################################
 # Set authentication for curl if Elasticsearch security is enabled.
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-uelastic:${ELASTIC_PASS} -k"
  echo "TEMPLATES - authentication for curl established."
 elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
  auth=""
  echo "TEMPLATES - authentication for curl not established."
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
  echo "TEMPLATES - authentication for curl established."
 fi
 ##############################################################################
 # Wait until Elasticsearch is active. 
 ##############################################################################
 until curl ${auth} -XGET $el_url; do
  >&2 echo "TEMPLATES - Elastic is unavailable - sleeping"
  sleep 5
 done
 >&2 echo "TEMPLATES - Elastic is up - executing command"
 ##############################################################################
 # Add wazuh-alerts templates.
 ##############################################################################
 echo "TEMPLATES - Loading default wazuh-alerts template."
 cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
--- a/elasticsearch/config/35-load_settings_users_management.sh
+++ b/elasticsearch/config/35-load_settings_users_management.sh
@@ -0,0 +1,100 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 ##############################################################################
 # Set Elasticsearch API url
 ##############################################################################
 if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
  el_url="http://elasticsearch:9200"
 else
  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
 fi
 echo "USERS - Elasticsearch url: $el_url"
 ##############################################################################
 # If Elasticsearch security is enabled get the elastic user password.
 ##############################################################################
 ELASTIC_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      ELASTIC_PASS=${arrIN[1]}
    fi
  done < "$input"
 fi
 ##############################################################################
 # If Elasticsearch security is enabled get the users credentials.
 ##############################################################################
 # The user must get the credentials of the users.
 # TO DO. 
 ##############################################################################
 # Set authentication for curl if Elasticsearch security is enabled.
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-uelastic:${ELASTIC_PASS} -k"
  echo "USERS - authentication for curl established."
 elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
  auth=""
  echo "USERS - authentication for curl not established."
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
  echo "USERS - authentication for curl established."
 fi
 ##############################################################################
 # Wait until Elasticsearch is active. 
 ##############################################################################
 until curl ${auth} -XGET $el_url; do
  >&2 echo "USERS - Elastic is unavailable - sleeping"
  sleep 5
 done
 >&2 echo "USERS - Elastic is up - executing command"
 ##############################################################################
 # Setup passwords for Elastic Stack users.
 ##############################################################################
 # The user must add the credentials of the users.
 # TO DO.
 # Example 
 # echo "USERS - Add custom_user password and role:"
 # curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/custom_user_role ' -d '
 # { "indices": [ { "names": [ ".kibana*" ],  "privileges": ["read"] }, { "names": [ "wazuh-monitoring*"],  "privileges": ["all"] }] }'
 # curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/custom_user'  -d '
 # { "password":"'$CUSTOM_USER_PASSWORD'", "roles" : [ "kibana_system", "custom_user_role"],  "full_name" : "Custom User" }'
 ##############################################################################
 # Remove credentials file.
 ##############################################################################
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  echo "USERS - Security credentials file not used. Nothing to do."
 else
  shred -zvu ${SECURITY_CREDENTIALS_FILE}
  echo "USERS - Security credentials file removed."
 fi
--- a/elasticsearch/config/TEST_openssl.cnf
+++ b/elasticsearch/config/TEST_openssl.cnf
@@ -0,0 +1,132 @@
 # OpenSSL intermediate CA configuration file.
 # Copy to `/root/ca/intermediate/openssl.cnf`.
 [ ca ]
 # `man ca`
 default_ca = CA_default
 [ CA_default ]
 # Directory and file locations.
 dir               = /root/ca/intermediate
 certs             = $dir/certs
 crl_dir           = $dir/crl
 new_certs_dir     = $dir/newcerts
 database          = $dir/index.txt
 serial            = $dir/serial
 RANDFILE          = $dir/private/.rand
 # The root key and root certificate.
 private_key       = $dir/private/intermediate.key.pem
 certificate       = $dir/certs/intermediate.cert.pem
 # For certificate revocation lists.
 crlnumber         = $dir/crlnumber
 crl               = $dir/crl/intermediate.crl.pem
 crl_extensions    = crl_ext
 default_crl_days  = 30
 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md        = sha256
 name_opt          = ca_default
 cert_opt          = ca_default
 default_days      = 375
 preserve          = no
 policy            = policy_loose
 [ policy_strict ]
 # The root CA should only sign intermediate certificates that match.
 # See the POLICY FORMAT section of `man ca`.
 countryName             = match
 stateOrProvinceName     = match
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional
 [ policy_loose ]
 # Allow the intermediate CA to sign a more diverse range of certificates.
 # See the POLICY FORMAT section of the `ca` man page.
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional
 [ req ]
 # Options for the `req` tool (`man req`).
 default_bits        = 2048
 distinguished_name  = req_distinguished_name
 string_mask         = utf8only
 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md          = sha256
 # Extension to add when the -x509 option is used.
 x509_extensions     = v3_ca
 [ req_distinguished_name ]
 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
 localityName                    = Locality Name
 0.organizationName              = Organization Name
 organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
 emailAddress                    = Email Address
 # Optionally, specify some defaults.
 countryName_default             = GB
 stateOrProvinceName_default     = England
 localityName_default            =
 0.organizationName_default      = Alice Ltd
 organizationalUnitName_default  =
 emailAddress_default            =
 [ v3_ca ]
 # Extensions for a typical CA (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 [ v3_intermediate_ca ]
 # Extensions for a typical intermediate CA (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 [ usr_cert ]
 # Extensions for client certificates (`man x509v3_config`).
 basicConstraints = CA:FALSE
 nsCertType = client, email
 nsComment = "OpenSSL Generated Client Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth, emailProtection
 [ server_cert ]
 # Extensions for server certificates (`man x509v3_config`).
 basicConstraints = CA:FALSE
 nsCertType = server
 nsComment = "OpenSSL Generated Server Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 [ crl_ext ]
 # Extension for CRLs (`man x509v3_config`).
 authorityKeyIdentifier=keyid:always
 [ ocsp ]
 # Extension for OCSP signing certificates (`man ocsp`).
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, digitalSignature
 extendedKeyUsage = critical, OCSPSigning
--- a/elasticsearch/config/entrypoint.sh
+++ b/elasticsearch/config/entrypoint.sh
@@ -0,0 +1,8 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
  bash "$script"
 done
--- a/generate-elasticsearch-certs.yml
+++ b/generate-elasticsearch-certs.yml
@@ -1,17 +0,0 @@
 version: '2.2'
 services:
  generator:
    container_name: generator
    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
    command: >
      bash -c '
        if [[ ! -f config/certificates/bundle.zip ]]; then
          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out config/certificates/bundle.zip;
          unzip config/certificates/bundle.zip -d config/certificates/;
        fi;
        chown -R 1000:0 config/certificates
      '
    user: "0"
    working_dir: /usr/share/elasticsearch
    volumes: ['./xpack:/usr/share/elasticsearch/config/certificates']
--- a/generate-opendistro-certs.yml
+++ b/generate-opendistro-certs.yml
@@ -1,10 +0,0 @@
 # Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 version: '3'
 services:
  generator:
    image: wazuh/opendistro-certs-generator:0.1
    hostname: opendistro-certs-generator
    volumes:
      - ./production_cluster/ssl_certs/certs.yml:/usr/src/config/myconf.yml
      - ./production_cluster/ssl_certs/:/usr/src/certs/out/ 
--- a/kibana-odfe/Dockerfile
+++ b/kibana-odfe/Dockerfile
@@ -1,59 +0,0 @@
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 FROM amazon/opendistro-for-elasticsearch-kibana:1.13.2
 USER kibana
 ARG ELASTIC_VERSION=7.10.2
 ARG WAZUH_VERSION=4.2.3
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 WORKDIR /usr/share/kibana
 RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
 WORKDIR /
 USER root
 COPY config/entrypoint.sh ./entrypoint.sh
 RUN chmod 755 ./entrypoint.sh
 ENV PATTERN="" \
    CHECKS_PATTERN="" \
    CHECKS_TEMPLATE="" \
    CHECKS_API="" \
    CHECKS_SETUP="" \
    EXTENSIONS_PCI="" \
    EXTENSIONS_GDPR="" \
    EXTENSIONS_HIPAA="" \
    EXTENSIONS_NIST="" \
    EXTENSIONS_TSC="" \
    EXTENSIONS_AUDIT="" \
    EXTENSIONS_OSCAP="" \
    EXTENSIONS_CISCAT="" \
    EXTENSIONS_AWS="" \
    EXTENSIONS_GCP="" \
    EXTENSIONS_VIRUSTOTAL="" \
    EXTENSIONS_OSQUERY="" \
    EXTENSIONS_DOCKER="" \
    APP_TIMEOUT="" \
    API_SELECTOR="" \
    IP_SELECTOR="" \
    IP_IGNORE="" \
    WAZUH_MONITORING_ENABLED="" \
    WAZUH_MONITORING_FREQUENCY="" \
    WAZUH_MONITORING_SHARDS="" \
    WAZUH_MONITORING_REPLICAS="" \
    ADMIN_PRIVILEGES=""
 USER kibana
 COPY ./config/custom_welcome /tmp/custom_welcome
 COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
 RUN chmod +x ./welcome_wazuh.sh
 ARG CHANGE_WELCOME="true"
 RUN ./welcome_wazuh.sh
 COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
 COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
 RUN chmod +x ./wazuh_app_config.sh
 COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
 RUN chmod +x ./kibana_settings.sh
 ENTRYPOINT ./entrypoint.sh
--- a/kibana-odfe/config/custom_welcome/light_theme.style.css
+++ b/kibana-odfe/config/custom_welcome/light_theme.style.css
--- a/kibana-odfe/config/custom_welcome/template.js.hbs
+++ b/kibana-odfe/config/custom_welcome/template.js.hbs
@@ -1,112 +0,0 @@
 var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
 window.__kbnStrictCsp__ = kbnCsp.strictCsp;
 window.__kbnThemeTag__ = "{{themeTag}}";
 window.__kbnPublicPath__ = {{publicPathMap}};
 window.__kbnBundles__ = {{kbnBundlesLoaderSource}}
 if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
  var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
  legacyBrowserError.style.display = 'flex';
 } else {
  if (!window.__kbnCspNotEnforced__ && window.console) {
    window.console.log("^ A single error about an inline script not firing due to content security policy is expected!");
  }
  var loadingMessage = document.getElementById('kbn_loading_message');
  loadingMessage.style.display = 'flex';
  window.onload = function () {
    //WAZUH 
      var interval = setInterval(() => {  
        var title = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div")
        if (!!title) {
          clearInterval(interval);
 	  var content = document.querySelector("#kibana-body > div");
          content.classList.add("wz-login")
          title.textContent = "Welcome to Wazuh";
          var subtitle = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div")
          subtitle.textContent = "The Open Source Security Platform";
          var logo = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > figure");
          logo.remove();
          var logoContainer = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul");
          $(logoContainer).prepend('<span class="loginWelcome__logo"></span>');
        } 
      })  
    //
    function failure() {
      // make subsequent calls to failure() noop
      failure = function () {};
      var err = document.createElement('h1');
      err.style['color'] = 'white';
      err.style['font-family'] = 'monospace';
      err.style['text-align'] = 'center';
      err.style['background'] = '#F44336';
      err.style['padding'] = '25px';
      err.innerText = document.querySelector('[data-error-message]').dataset.errorMessage;
      document.body.innerHTML = err.outerHTML;
    }
    var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]')
    function loadStyleSheet(url, cb) {
      var dom = document.createElement('link');
      dom.rel = 'stylesheet';
      dom.type = 'text/css';
      dom.href = url;
      dom.addEventListener('error', failure);
      dom.addEventListener('load', cb);
      document.head.insertBefore(dom, stylesheetTarget);
    }
    var scriptsTarget = document.querySelector('head meta[name="add-scripts-here"]')
    function loadScript(url, cb) {
      var dom = document.createElement('script');
      {{!-- NOTE: async = false is used to trigger async-download/ordered-execution as outlined here: https://www.html5rocks.com/en/tutorials/speed/script-loading/ --}}
      dom.async = false;
      dom.src = url;
      dom.addEventListener('error', failure);
      dom.addEventListener('load', cb);
      document.head.insertBefore(dom, scriptsTarget);
    }
    function load(urls, cb) {
      var pending = urls.length;
      urls.forEach(function (url) {
        var innerCb = function () {
          pending = pending - 1;
          if (pending === 0 && typeof cb === 'function') {
            cb();
          }
        }
        if (typeof url !== 'string') {
          load(url, innerCb);
        } else if (url.slice(-4) === '.css') {
          loadStyleSheet(url, innerCb);
        } else {
          loadScript(url, innerCb);
        }
      });
    }
    load([
      {{#each jsDependencyPaths}}
        '{{this}}',
      {{/each}}
    ], function () {
      {{#unless legacyBundlePath}}
        __kbnBundles__.get('entry/core/public').__kbnBootstrap__();
      {{/unless}}
      load([
        {{#if legacyBundlePath}}
          '{{legacyBundlePath}}',
        {{/if}}
        {{#each styleSheetPaths}}
          '{{this}}',
        {{/each}}
      ]);
    });
  }
 }
--- a/kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg
+++ b/kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg
@@ -1 +0,0 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 84.67 84.67"><defs><style>.a{fill:#fff;}.b{fill:#00a9e5;}</style></defs><title>wazuh_logo_circle</title><circle class="a" cx="42.34" cy="42.34" r="42.34"/><path class="b" d="M58.13,9.2,50,26.32H35.07L26.16,9.2,20,31l-8.53,9.72,19.18,17.6,7.47,17.21h8.53l7-16.91L73.24,40.83l-8.73-9.57ZM48.58,55.13a1.79,1.79,0,0,1-.74.62,2.49,2.49,0,0,1-1,.2,2.52,2.52,0,0,1-1-.2,1.84,1.84,0,0,1-.71-.62l-2.88-4.36-2.9,4.36a1.87,1.87,0,0,1-.72.62,2.48,2.48,0,0,1-.95.2,1.94,1.94,0,0,1-1.7-.82L21.3,41.37h4.09L37.87,52.3l2.49-3.89h3.93L47,52.3,59.63,40.9h3.74Z"/></svg>
--- a/kibana-odfe/config/custom_welcome/wazuh_wazuh_bg.svg
+++ b/kibana-odfe/config/custom_welcome/wazuh_wazuh_bg.svg
--- a/kibana-odfe/config/entrypoint.sh
+++ b/kibana-odfe/config/entrypoint.sh
@@ -1,65 +0,0 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 set -e
 ##############################################################################
 # Waiting for elasticsearch
 ##############################################################################
 if [ "x${ELASTICSEARCH_URL}" == "x" ]; then
  if [[ ${ENABLED_SECURITY} == "false" ]]; then
    export el_url="http://elasticsearch:9200"
  else
    export el_url="https://elasticsearch:9200"
  fi
 else
  export el_url="${ELASTICSEARCH_URL}"
 fi
 if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then
  auth=""
  # remove security plugin from kibana if elasticsearch is not using it either
  /usr/share/kibana/bin/kibana-plugin remove opendistro_security
 else
  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
 fi
 until curl -XGET $el_url ${auth}; do
  >&2 echo "Elastic is unavailable - sleeping"
  sleep 5
 done
 sleep 2
 >&2 echo "Elasticsearch is up."
 ##############################################################################
 # Waiting for wazuh alerts template
 ##############################################################################
 strlen=0
 while [[ $strlen -eq 0 ]]
 do
  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
  strlen=${#template}
  >&2 echo "Wazuh alerts template not loaded - sleeping."
  sleep 2
 done
 sleep 2
 >&2 echo "Wazuh alerts template is loaded."
 ./wazuh_app_config.sh
 sleep 5
 ./kibana_settings.sh &
 sleep 2
 /usr/local/bin/kibana-docker
--- a/kibana-odfe/config/kibana_settings.sh
+++ b/kibana-odfe/config/kibana_settings.sh
@@ -1,58 +0,0 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 WAZUH_MAJOR=4
 ##############################################################################
 # Wait for the Kibana API to start. It is necessary to do it in this container
 # because the others are running Elastic Stack and we can not interrupt them.
 #
 # The following actions are performed:
 #
 # Add the wazuh alerts index as default.
 # Set the Discover time interval to 24 hours instead of 15 minutes.
 # Do not ask user to help providing usage statistics to Elastic.
 ##############################################################################
 ##############################################################################
 # Customize elasticsearch ip
 ##############################################################################
 sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
 # If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
 if [ "$KIBANA_INDEX" != "" ]; then
  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
  fi
    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
 fi
 while [[ "$(curl -XGET -I  -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/app/login)" != "200" ]]; do
  echo "Waiting for Kibana API. Sleeping 5 seconds"
  sleep 5
 done
 # Prepare index selection.
 echo "Kibana API is running"
 default_index="/tmp/default_index.json"
 cat > ${default_index} << EOF
 {
  "changes": {
    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
  }
 }
 EOF
 sleep 5
 # Add the wazuh alerts index as default.
 curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
 rm -f ${default_index}
 sleep 5
 # Configuring Kibana TimePicker.
 curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
 '{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\"}"}}'
 echo "End settings"
--- a/kibana-odfe/config/wazuh.yml
+++ b/kibana-odfe/config/wazuh.yml
@@ -1,162 +0,0 @@
 ---
 #
 # Wazuh app - App configuration file
 # Copyright (C) 2015-2021 Wazuh, Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # Find more information about this on the LICENSE file.
 #
 # ======================== Wazuh app configuration file ========================
 #
 # Please check the documentation for more information on configuration options:
 # https://documentation.wazuh.com/current/installation-guide/index.html
 #
 # Also, you can check our repository:
 # https://github.com/wazuh/wazuh-kibana-app
 #
 # ------------------------------- Index patterns -------------------------------
 #
 # Default index pattern to use.
 #pattern: wazuh-alerts-*
 #
 # ----------------------------------- Checks -----------------------------------
 #
 # Defines which checks must to be consider by the healthcheck
 # step once the Wazuh app starts. Values must to be true or false.
 #checks.pattern : true
 #checks.template: true
 #checks.api     : true
 #checks.setup   : true
 #checks.metaFields: true
 #
 # --------------------------------- Extensions ---------------------------------
 #
 # Defines which extensions should be activated when you add a new API entry.
 # You can change them after Wazuh app starts.
 # Values must to be true or false.
 #extensions.pci       : true
 #extensions.gdpr      : true
 #extensions.hipaa     : true
 #extensions.nist      : true
 #extensions.tsc       : true
 #extensions.audit     : true
 #extensions.oscap     : false
 #extensions.ciscat    : false
 #extensions.aws       : false
 #extensions.gcp       : false
 #extensions.virustotal: false
 #extensions.osquery   : false
 #extensions.docker    : false
 #
 # ---------------------------------- Time out ----------------------------------
 #
 # Defines maximum timeout to be used on the Wazuh app requests.
 # It will be ignored if it is bellow 1500.
 # It means milliseconds before we consider a request as failed.
 # Default: 20000
 #timeout: 20000
 #
 # -------------------------------- API selector --------------------------------
 #
 # Defines if the user is allowed to change the selected
 # API directly from the Wazuh app top menu.
 # Default: true
 #api.selector: true
 #
 # --------------------------- Index pattern selector ---------------------------
 #
 # Defines if the user is allowed to change the selected
 # index pattern directly from the Wazuh app top menu.
 # Default: true
 #ip.selector: true
 #
 # List of index patterns to be ignored
 #ip.ignore: []
 #
 # -------------------------------- X-Pack RBAC ---------------------------------
 #
 # Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
 # Default: enabled
 #xpack.rbac.enabled: true
 #
 # ------------------------------ wazuh-monitoring ------------------------------
 #
 # Custom setting to enable/disable wazuh-monitoring indices.
 # Values: true, false, worker
 # If worker is given as value, the app will show the Agents status
 # visualization but won't insert data on wazuh-monitoring indices.
 # Default: true
 #wazuh.monitoring.enabled: true
 #
 # Custom setting to set the frequency for wazuh-monitoring indices cron task.
 # Default: 900 (s)
 #wazuh.monitoring.frequency: 900
 #
 # Configure wazuh-monitoring-* indices shards and replicas.
 #wazuh.monitoring.shards: 2
 #wazuh.monitoring.replicas: 0
 #
 # Configure wazuh-monitoring-* indices custom creation interval.
 # Values: h (hourly), d (daily), w (weekly), m (monthly)
 # Default: d
 #wazuh.monitoring.creation: d
 #
 # Default index pattern to use for Wazuh monitoring
 #wazuh.monitoring.pattern: wazuh-monitoring-*
 #
 # --------------------------------- wazuh-cron ----------------------------------
 #
 # Customize the index prefix of predefined jobs
 # This change is not retroactive, if you change it new indexes will be created
 # cron.prefix: test
 #
 # ------------------------------ wazuh-statistics -------------------------------
 #
 # Custom setting to enable/disable statistics tasks.
 #cron.statistics.status: true
 #
 # Enter the ID of the APIs you want to save data from, leave this empty to run
 # the task on all configured APIs
 #cron.statistics.apis: []
 #
 # Define the frequency of task execution using cron schedule expressions
 #cron.statistics.interval: 0 0 * * * *
 #
 # Define the name of the index in which the documents are to be saved.
 #cron.statistics.index.name: statistics
 #
 # Define the interval in which the index will be created
 #cron.statistics.index.creation: w
 #
 # ------------------------------- App privileges --------------------------------
 #admin: true
 #
 # ---------------------------- Hide manager alerts ------------------------------
 # Hide the alerts of the manager in all dashboards and discover
 #hideManagerAlerts: false
 #
 # ------------------------------- App logging level -----------------------------
 # Set the logging level for the Wazuh App log files.
 # Default value: info
 # Allowed values: info, debug
 #logs.level: info
 #
 # -------------------------------- Enrollment DNS -------------------------------
 # Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
 # Default value: ''
 #enrollment.dns: ''
 #
 #-------------------------------- API entries -----------------------------------
 #The following configuration is the default structure to define an API entry.
 #
 #hosts:
 #  - <id>:
 #     url: http(s)://<url>
 #     port: <port>
 #     username: <username>
 #     password: <password>
--- a/kibana-odfe/config/wazuh_app_config.sh
+++ b/kibana-odfe/config/wazuh_app_config.sh
@@ -1,64 +0,0 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 wazuh_url="${WAZUH_API_URL:-https://wazuh}"
 wazuh_port="${API_PORT:-55000}"
 api_username="${API_USERNAME:-wazuh-wui}"
 api_password="${API_PASSWORD:-wazuh-wui}"
 kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
 declare -A CONFIG_MAP=(
  [pattern]=$PATTERN
  [checks.pattern]=$CHECKS_PATTERN
  [checks.template]=$CHECKS_TEMPLATE
  [checks.api]=$CHECKS_API
  [checks.setup]=$CHECKS_SETUP
  [extensions.pci]=$EXTENSIONS_PCI
  [extensions.gdpr]=$EXTENSIONS_GDPR
  [extensions.hipaa]=$EXTENSIONS_HIPAA
  [extensions.nist]=$EXTENSIONS_NIST
  [extensions.tsc]=$EXTENSIONS_TSC
  [extensions.audit]=$EXTENSIONS_AUDIT
  [extensions.oscap]=$EXTENSIONS_OSCAP
  [extensions.ciscat]=$EXTENSIONS_CISCAT
  [extensions.aws]=$EXTENSIONS_AWS
  [extensions.gcp]=$EXTENSIONS_GCP
  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
  [extensions.osquery]=$EXTENSIONS_OSQUERY
  [extensions.docker]=$EXTENSIONS_DOCKER
  [timeout]=$APP_TIMEOUT
  [api.selector]=$API_SELECTOR
  [ip.selector]=$IP_SELECTOR
  [ip.ignore]=$IP_IGNORE
  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
  [admin]=$ADMIN_PRIVILEGES
 )
 for i in "${!CONFIG_MAP[@]}"
 do
    if [ "${CONFIG_MAP[$i]}" != "" ]; then
        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
    fi
 done
 CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
 grep -q 1513629884013 $kibana_config_file
 _config_exists=$?
 if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
 cat << EOF >> $kibana_config_file
 hosts:
  - 1513629884013:
      url: $wazuh_url
      port: $wazuh_port
      username: $api_username
      password: $api_password
 EOF
 else
  echo "Wazuh APP already configured"
 fi
--- a/kibana-odfe/config/welcome_wazuh.sh
+++ b/kibana-odfe/config/welcome_wazuh.sh
@@ -1,14 +0,0 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 if [[ $CHANGE_WELCOME == "true" ]]
 then
    echo "Set Wazuh app as the default landing page"
    echo "server.defaultRoute: /app/wazuh?security_tenant=global" >> /usr/share/kibana/config/kibana.yml
    echo "Set custom welcome styles"
    cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs
    cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css
    cp -f /tmp/custom_welcome/*svg /usr/share/kibana/src/core/server/core_app/assets/
 fi
--- a/kibana/Dockerfile
+++ b/kibana/Dockerfile
@@ -1,12 +1,25 @@
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:7.10.2
+FROM docker.elastic.co/kibana/kibana:7.4.2
-USER kibana
+ARG ELASTIC_VERSION=7.4.2
-ARG ELASTIC_VERSION=7.10.2
+ARG WAZUH_VERSION=3.11.4
 ARG WAZUH_VERSION=4.2.3
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
-WORKDIR /usr/share/kibana
+USER root
-RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
+
 COPY config/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 USER kibana
 #RUN /usr/share/kibana/bin/kibana-plugin install  --allow-root https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip
 RUN /usr/share/kibana/bin/kibana-plugin install  --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
 USER root
 RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
 COPY config/entrypoint.sh ./entrypoint.sh
 RUN chmod 755 ./entrypoint.sh
 RUN mkdir /entrypoint-scripts
 USER kibana
 ENV CONFIGURATION_FROM_FILE="false"
 ENV PATTERN="" \
    CHECKS_PATTERN="" \
@@ -15,50 +28,74 @@ ENV PATTERN="" \
    CHECKS_SETUP="" \
    EXTENSIONS_PCI="" \
    EXTENSIONS_GDPR="" \
    EXTENSIONS_HIPAA="" \
    EXTENSIONS_NIST="" \
    EXTENSIONS_TSC="" \
    EXTENSIONS_AUDIT="" \
    EXTENSIONS_OSCAP="" \
    EXTENSIONS_CISCAT="" \
    EXTENSIONS_AWS="" \
    EXTENSIONS_GCP="" \
    EXTENSIONS_VIRUSTOTAL="" \
    EXTENSIONS_OSQUERY="" \
    EXTENSIONS_DOCKER="" \
    APP_TIMEOUT="" \
-    API_SELECTOR="" \
+    WAZUH_SHARDS="" \
    WAZUH_REPLICAS="" \
    WAZUH_VERSION_SHARDS="" \
    WAZUH_VERSION_REPLICAS="" \
    IP_SELECTOR="" \
    IP_IGNORE="" \
    XPACK_RBAC_ENABLED="" \
    WAZUH_MONITORING_ENABLED="" \
    WAZUH_MONITORING_FREQUENCY="" \
    WAZUH_MONITORING_SHARDS="" \
    WAZUH_MONITORING_REPLICAS="" \
    ADMIN_PRIVILEGES="" \
-    XPACK_CANVAS="true" \
+    API_SELECTOR=""
    XPACK_LOGS="true"   \
    XPACK_INFRA="true"  \
    XPACK_ML="true" \
    XPACK_DEVTOOLS="true"   \
    XPACK_MONITORING="true" \
    XPACK_APM="true"
-WORKDIR /
+ARG XPACK_CANVAS="false"
-USER kibana
+ARG XPACK_LOGS="false"
 ARG XPACK_INFRA="false"
 ARG XPACK_ML="false"
 ARG XPACK_DEVTOOLS="false"
 ARG XPACK_MONITORING="false"
 ARG XPACK_APM="false"
 ARG XPACK_MAPS="false"
 ARG XPACK_UPTIME="false"
 ARG XPACK_SIEM="false"
-COPY --chown=kibana:kibana config/entrypoint.sh ./entrypoint.sh
+ARG CHANGE_WELCOME="true"
 RUN chmod 755 ./entrypoint.sh
-RUN printf "\nserver.defaultRoute: /app/wazuh\n" >> /usr/share/kibana/config/kibana.yml
+COPY --chown=kibana:kibana ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
-
+COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
-COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
+COPY --chown=kibana:kibana ./config/12-custom_logos.sh /entrypoint-scripts/12-custom_logos.sh
-COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
-RUN chmod +x ./wazuh_app_config.sh
+COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./
-
+COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./
-COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
+RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh  && \
-RUN chmod +x ./kibana_settings.sh
+    chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
    chmod +x /entrypoint-scripts/12-custom_logos.sh && \
    chmod +x /entrypoint-scripts/20-entrypoint.sh && \
    chmod +x ./20-entrypoint_kibana_settings.sh && \
    chmod +x ./20-entrypoint_certs_management.sh
 COPY --chown=kibana:kibana ./config/xpack_config.sh ./
 RUN chmod +x ./xpack_config.sh
 RUN ./xpack_config.sh
 COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
 RUN chmod +x ./welcome_wazuh.sh
 RUN ./welcome_wazuh.sh
 RUN /usr/local/bin/kibana-docker --optimize
 USER root
 RUN chmod 660 /usr/share/kibana/plugins/wazuh/wazuh.yml && \
    chmod 775 /usr/share/kibana/plugins/wazuh && \
    chown root:kibana /usr/share/kibana/plugins/wazuh/wazuh.yml && \
    chown root:kibana /usr/share/kibana/plugins/wazuh
 USER kibana
 ENTRYPOINT ./entrypoint.sh
--- a/kibana/config/05-decrypt_credentials.sh
+++ b/kibana/config/05-decrypt_credentials.sh
@@ -0,0 +1,15 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Decrypt credentials.
 # If the credentials of the users to be created are encrypted,
 # they must be decrypted for later use. 
 ##############################################################################
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
    echo "Security credentials file not used. Nothing to do."
 else
    echo "TO DO"
 fi
 # TO DO
--- a/kibana/config/10-wazuh_app_config.sh
+++ b/kibana/config/10-wazuh_app_config.sh
@@ -0,0 +1,115 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # If Elasticsearch security is enabled get the kibana user, the Kibana 
 # password and WAZUH API credentials.
 ##############################################################################
 KIBANA_USER=""
 KIBANA_PASS=""
 WAZH_API_USER=""
 WAZH_API_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  KIBANA_USER=${SECURITY_KIBANA_USER}
  KIBANA_PASS=${SECURITY_KIBANA_PASS}
  WAZH_API_USER=${API_USER}
  WAZH_API_PASS=${API_PASS}
  echo "USERS - Credentials obtained from environment variables."
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"KIBANA_USER"* ]]; then
      arrIN=(${line//:/ })
      KIBANA_USER=${arrIN[1]}
    elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      KIBANA_PASS=${arrIN[1]}
    elif [[ $line == *"WAZUH_API_USER"* ]]; then
      arrIN=(${line//:/ })
      WAZH_API_USER=${arrIN[1]}
    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      WAZH_API_PASS=${arrIN[1]}
    fi
  done < "$input"
  echo "USERS - Credentials obtained from file."
 fi
 ##############################################################################
 # Establish the way to run the curl command, with or without authentication. 
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
 elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
  auth=""
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
 fi
 ##############################################################################
 # Set custom wazuh.yml config
 ##############################################################################
 kibana_config_file="/usr/share/kibana/plugins/wazuh/wazuh.yml"
 declare -A CONFIG_MAP=(
  [pattern]=$PATTERN
  [checks.pattern]=$CHECKS_PATTERN
  [checks.template]=$CHECKS_TEMPLATE
  [checks.api]=$CHECKS_API
  [checks.setup]=$CHECKS_SETUP
  [extensions.pci]=$EXTENSIONS_PCI
  [extensions.gdpr]=$EXTENSIONS_GDPR
  [extensions.audit]=$EXTENSIONS_AUDIT
  [extensions.oscap]=$EXTENSIONS_OSCAP
  [extensions.ciscat]=$EXTENSIONS_CISCAT
  [extensions.aws]=$EXTENSIONS_AWS
  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
  [extensions.osquery]=$EXTENSIONS_OSQUERY
  [timeout]=$APP_TIMEOUT
  [wazuh.shards]=$WAZUH_SHARDS
  [wazuh.replicas]=$WAZUH_REPLICAS
  [wazuh-version.shards]=$WAZUH_VERSION_SHARDS
  [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
  [ip.selector]=$IP_SELECTOR
  [ip.ignore]=$IP_IGNORE
  [xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
  [admin]=$ADMIN_PRIVILEGES
  [api.selector]=$API_SELECTOR
 )
 for i in "${!CONFIG_MAP[@]}"
 do
    if [ "${CONFIG_MAP[$i]}" != "" ]; then
        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
    fi
 done
 # remove default API entry (new in 3.11.0_7.5.1)
 sed -ie '/- default:/,+4d' $kibana_config_file
 # If this is an update to 3.11
 CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $ELASTICSEARCH_URL/.wazuh/_doc/1513629884013 ${auth})
 grep -q 1513629884013 $kibana_config_file
 _config_exists=$?
 if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
 cat << EOF >> $kibana_config_file 
  - 1:
      url: https://wazuh
      port: 55000
      user: $WAZH_API_USER
      password: $WAZH_API_PASS
 EOF
 else
  echo "Wazuh APP already configured"
 fi
--- a/kibana/config/12-custom_logos.sh
+++ b/kibana/config/12-custom_logos.sh
@@ -0,0 +1,14 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Kibana logos
 ##############################################################################
 if [[ $CUSTOM_LOGO == "true" ]]; then
    echo "CUSTOM LOGO - Change Kibana logos."
    # TO DO
 fi
--- a/kibana/config/20-entrypoint.sh
+++ b/kibana/config/20-entrypoint.sh
@@ -0,0 +1,126 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 ##############################################################################
 # Set Elasticsearch API url.
 ##############################################################################
 if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
  el_url="http://elasticsearch:9200"
 else
  el_url="${ELASTICSEARCH_URL}"
 fi
 echo "ENTRYPOINT - Set Elasticsearc url:${ELASTICSEARCH_URL}"
 ##############################################################################
 # If there are credentials for Kibana they are obtained. 
 ##############################################################################
 KIBANA_USER=""
 KIBANA_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  KIBANA_USER=${SECURITY_KIBANA_USER}
  KIBANA_PASS=${SECURITY_KIBANA_PASS}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      KIBANA_PASS=${arrIN[1]}
    elif [[ $line == *"KIBANA_USER"* ]]; then
      arrIN=(${line//:/ })
      KIBANA_USER=${arrIN[1]}
    fi
  done < "$input"
 fi
 echo "ENTRYPOINT - Kibana credentials obtained."
 ##############################################################################
 # Establish the way to run the curl command, with or without authentication. 
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
 elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
  auth=""
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
 fi
 echo "ENTRYPOINT - Kibana authentication established."
 ##############################################################################
 # Waiting for elasticsearch.
 ##############################################################################
 until curl -XGET $el_url ${auth}; do
  >&2 echo "ENTRYPOINT - Elastic is unavailable: sleeping"
  sleep 5
 done
 sleep 2
 >&2 echo "ENTRYPOINT - Elasticsearch is up."
 ##############################################################################
 # Waiting for wazuh alerts template.
 ##############################################################################
 strlen=0
 while [[ $strlen -eq 0 ]]
 do
  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
  strlen=${#template}
  >&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
  sleep 2
 done
 sleep 2
 >&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
 ##############################################################################
 # Create keystore if security is enabled.
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
  echo "ENTRYPOINT - Create Keystore."
  /usr/share/kibana/bin/kibana-keystore create
  # Add keys to keystore
  echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
  echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
  echo "ENTRYPOINT - Keystore created."
 fi
 ##############################################################################
 # If security is enabled set Kibana configuration.
 # Create the ssl certificate.
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
  bash /usr/share/kibana/20-entrypoint_certs_management.sh
 fi
 ##############################################################################
 # Run kibana_settings.sh script.
 ##############################################################################
 bash /usr/share/kibana/20-entrypoint_kibana_settings.sh &
 /usr/local/bin/kibana-docker
--- a/kibana/config/20-entrypoint_certs_management.sh
+++ b/kibana/config/20-entrypoint_certs_management.sh
@@ -0,0 +1,14 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Kibana certs and keystore management 
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
    echo "CERTS_MANAGEMENT - Create certificates. TO DO."
    # TO DO
 fi
--- a/kibana/config/20-entrypoint_kibana_settings.sh
+++ b/kibana/config/20-entrypoint_kibana_settings.sh
@@ -0,0 +1,183 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 WAZUH_MAJOR=3
 ##############################################################################
 # Wait for the Kibana API to start. It is necessary to do it in this container
 # because the others are running Elastic Stack and we can not interrupt them.
 #
 # The following actions are performed:
 #
 # Add the wazuh alerts index as default.
 # Set the Discover time interval to 24 hours instead of 15 minutes.
 # Do not ask user to help providing usage statistics to Elastic.
 ##############################################################################
 ##############################################################################
 # Customize elasticsearch ip
 ##############################################################################
 if [[ "$ELASTICSEARCH_KIBANA_IP" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
 fi
 echo "SETTINGS - Update Elasticsearch host."
 # If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
 if [[ "$KIBANA_INDEX" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
  fi
    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
 fi
 # If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
 if [[ "$XPACK_SECURITY_ENABLED" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
  fi
    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
 fi
 ##############################################################################
 # Get Kibana credentials
 ##############################################################################
 if [ "$KIBANA_IP" != "" ]; then
  kibana_ip="$KIBANA_IP"
 else
  kibana_ip="kibana"
 fi
 KIBANA_USER=""
 KIBANA_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  KIBANA_USER=${SECURITY_KIBANA_USER}
  KIBANA_PASS=${SECURITY_KIBANA_PASS}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      KIBANA_PASS=${arrIN[1]}
    elif [[ $line == *"KIBANA_USER"* ]]; then
      arrIN=(${line//:/ })
      KIBANA_USER=${arrIN[1]}
    fi
  done < "$input"
 fi
 echo "SETTINGS - Kibana credentials obtained."
 ##############################################################################
 # Set url authentication.
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-k -u $KIBANA_USER:${KIBANA_PASS}"
  kibana_secure_ip="https://$kibana_ip"
 else
  auth=""
  kibana_secure_ip="http://$kibana_ip"
 fi
 echo "SETTINGS - Kibana authentication established."
 ##############################################################################
 # Waiting for Kibana.
 ##############################################################################
 while [[ "$(curl $auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
  echo "SETTINGS - Waiting for Kibana API. Sleeping 5 seconds"
  sleep 5
 done
 echo "SETTINGS - Kibana API is running"
 ##############################################################################
 # Prepare index selection.
 ##############################################################################
 echo "SETTINGS - Prepare index selection."
 default_index="/tmp/default_index.json"
 if [[ $PATTERN == "" ]]; then
  cat > ${default_index} << EOF
 {
  "changes": {
    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
  }
 }
 EOF
 else
  cat > ${default_index} << EOF
 {
  "changes": {
    "defaultIndex": "$PATTERN"
  }
 }
 EOF
 fi
 sleep 5
 ##############################################################################
 # Add the wazuh alerts index as default.
 ##############################################################################
 echo "SETTINGS - Add the wazuh alerts index as default."
 curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
 rm -f ${default_index}
 sleep 5
 ##############################################################################
 # Configuring Kibana TimePicker.
 ##############################################################################
 echo "SETTINGS - Configuring Kibana TimePicker."
 curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
 '{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
 sleep 5
 ##############################################################################
 # Do not ask user to help providing usage statistics to Elastic.
 ##############################################################################
 echo "SETTINGS - Do not ask user to help providing usage statistics to Elastic."
 curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
 ##############################################################################
 # Remove credentials file.
 ##############################################################################
 echo "SETTINGS - Remove credentials file."
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  echo "Security credentials file not used. Nothing to do."
 else
  shred -zvu ${SECURITY_CREDENTIALS_FILE}
 fi
 echo "End settings"
--- a/kibana/config/entrypoint.sh
+++ b/kibana/config/entrypoint.sh
@@ -1,60 +1,8 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-set -e
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
  bash "$script"
 ##############################################################################
 # Waiting for elasticsearch
 ##############################################################################
 if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
  export el_url="http://elasticsearch:9200"
 else
  export el_url="${ELASTICSEARCH_URL}"
 fi
 if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
  export auth=""
 else
  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
 fi
 until curl -XGET $el_url ${auth}; do
  >&2 echo "Elastic is unavailable - sleeping"
  sleep 5
 done
 sleep 2
 >&2 echo "Elasticsearch is up."
 ##############################################################################
 # Waiting for wazuh alerts template
 ##############################################################################
 strlen=0
 while [[ $strlen -eq 0 ]]
 do
  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
  strlen=${#template}
  >&2 echo "Wazuh alerts template not loaded - sleeping."
  sleep 2
 done
 sleep 2
 >&2 echo "Wazuh alerts template is loaded."
 ./xpack_config.sh
 ./wazuh_app_config.sh
 sleep 5
 ./kibana_settings.sh &
 sleep 2
 /usr/local/bin/kibana-docker
--- a/kibana/config/kibana_settings.sh
+++ b/kibana/config/kibana_settings.sh
@@ -1,79 +0,0 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 WAZUH_MAJOR=4
 ##############################################################################
 # Wait for the Kibana API to start. It is necessary to do it in this container
 # because the others are running Elastic Stack and we can not interrupt them.
 #
 # The following actions are performed:
 #
 # Add the wazuh alerts index as default.
 # Set the Discover time interval to 24 hours instead of 15 minutes.
 # Do not ask user to help providing usage statistics to Elastic.
 ##############################################################################
 ##############################################################################
 # Customize elasticsearch ip
 ##############################################################################
 sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
 # If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
 if [ "$KIBANA_INDEX" != "" ]; then
  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
  fi
    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
 fi
 kibana_proto="http"
 if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
  kibana_proto="https"
  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
  fi
    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
 fi
 # Add auth headers if required
 if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then
    curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD"
 fi
 while [[ "$(curl $curl_auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' -k $kibana_proto://127.0.0.1:5601/status)" != "200" ]]; do
  echo "Waiting for Kibana API. Sleeping 5 seconds"
  sleep 5
 done
 # Prepare index selection.
 echo "Kibana API is running"
 default_index="/tmp/default_index.json"
 cat > ${default_index} << EOF
 {
  "changes": {
    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
  }
 }
 EOF
 sleep 5
 # Add the wazuh alerts index as default.
 curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
 rm -f ${default_index}
 sleep 5
 # Configuring Kibana TimePicker.
 curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
 '{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\"}"}}'
 sleep 5
 # Do not ask user to help providing usage statistics to Elastic
 curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
 echo "End settings"
--- a/kibana/config/wazuh.yml
+++ b/kibana/config/wazuh.yml
@@ -1,162 +0,0 @@
 ---
 #
 # Wazuh app - App configuration file
 # Copyright (C) 2015-2021 Wazuh, Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # Find more information about this on the LICENSE file.
 #
 # ======================== Wazuh app configuration file ========================
 #
 # Please check the documentation for more information on configuration options:
 # https://documentation.wazuh.com/current/installation-guide/index.html
 #
 # Also, you can check our repository:
 # https://github.com/wazuh/wazuh-kibana-app
 #
 # ------------------------------- Index patterns -------------------------------
 #
 # Default index pattern to use.
 #pattern: wazuh-alerts-*
 #
 # ----------------------------------- Checks -----------------------------------
 #
 # Defines which checks must to be consider by the healthcheck
 # step once the Wazuh app starts. Values must to be true or false.
 #checks.pattern : true
 #checks.template: true
 #checks.api     : true
 #checks.setup   : true
 #checks.metaFields: true
 #
 # --------------------------------- Extensions ---------------------------------
 #
 # Defines which extensions should be activated when you add a new API entry.
 # You can change them after Wazuh app starts.
 # Values must to be true or false.
 #extensions.pci       : true
 #extensions.gdpr      : true
 #extensions.hipaa     : true
 #extensions.nist      : true
 #extensions.tsc       : true
 #extensions.audit     : true
 #extensions.oscap     : false
 #extensions.ciscat    : false
 #extensions.aws       : false
 #extensions.gcp       : false
 #extensions.virustotal: false
 #extensions.osquery   : false
 #extensions.docker    : false
 #
 # ---------------------------------- Time out ----------------------------------
 #
 # Defines maximum timeout to be used on the Wazuh app requests.
 # It will be ignored if it is bellow 1500.
 # It means milliseconds before we consider a request as failed.
 # Default: 20000
 #timeout: 20000
 #
 # -------------------------------- API selector --------------------------------
 #
 # Defines if the user is allowed to change the selected
 # API directly from the Wazuh app top menu.
 # Default: true
 #api.selector: true
 #
 # --------------------------- Index pattern selector ---------------------------
 #
 # Defines if the user is allowed to change the selected
 # index pattern directly from the Wazuh app top menu.
 # Default: true
 #ip.selector: true
 #
 # List of index patterns to be ignored
 #ip.ignore: []
 #
 # -------------------------------- X-Pack RBAC ---------------------------------
 #
 # Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
 # Default: enabled
 #xpack.rbac.enabled: true
 #
 # ------------------------------ wazuh-monitoring ------------------------------
 #
 # Custom setting to enable/disable wazuh-monitoring indices.
 # Values: true, false, worker
 # If worker is given as value, the app will show the Agents status
 # visualization but won't insert data on wazuh-monitoring indices.
 # Default: true
 #wazuh.monitoring.enabled: true
 #
 # Custom setting to set the frequency for wazuh-monitoring indices cron task.
 # Default: 900 (s)
 #wazuh.monitoring.frequency: 900
 #
 # Configure wazuh-monitoring-* indices shards and replicas.
 #wazuh.monitoring.shards: 2
 #wazuh.monitoring.replicas: 0
 #
 # Configure wazuh-monitoring-* indices custom creation interval.
 # Values: h (hourly), d (daily), w (weekly), m (monthly)
 # Default: d
 #wazuh.monitoring.creation: d
 #
 # Default index pattern to use for Wazuh monitoring
 #wazuh.monitoring.pattern: wazuh-monitoring-*
 #
 # --------------------------------- wazuh-cron ----------------------------------
 #
 # Customize the index prefix of predefined jobs
 # This change is not retroactive, if you change it new indexes will be created
 # cron.prefix: test
 #
 # ------------------------------ wazuh-statistics -------------------------------
 #
 # Custom setting to enable/disable statistics tasks.
 #cron.statistics.status: true
 #
 # Enter the ID of the APIs you want to save data from, leave this empty to run
 # the task on all configured APIs
 #cron.statistics.apis: []
 #
 # Define the frequency of task execution using cron schedule expressions
 #cron.statistics.interval: 0 0 * * * *
 #
 # Define the name of the index in which the documents are to be saved.
 #cron.statistics.index.name: statistics
 #
 # Define the interval in which the index will be created
 #cron.statistics.index.creation: w
 #
 # ------------------------------- App privileges --------------------------------
 #admin: true
 #
 # ---------------------------- Hide manager alerts ------------------------------
 # Hide the alerts of the manager in all dashboards and discover
 #hideManagerAlerts: false
 #
 # ------------------------------- App logging level -----------------------------
 # Set the logging level for the Wazuh App log files.
 # Default value: info
 # Allowed values: info, debug
 #logs.level: info
 #
 # -------------------------------- Enrollment DNS -------------------------------
 # Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
 # Default value: ''
 #enrollment.dns: ''
 #
 #-------------------------------- API entries -----------------------------------
 #The following configuration is the default structure to define an API entry.
 #
 #hosts:
 #  - <id>:
 #     url: http(s)://<url>
 #     port: <port>
 #     username: <username>
 #     password: <password>
--- a/kibana/config/wazuh_app_config.sh
+++ b/kibana/config/wazuh_app_config.sh
@@ -1,64 +0,0 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 wazuh_url="${WAZUH_API_URL:-https://wazuh}"
 wazuh_port="${API_PORT:-55000}"
 api_username="${API_USERNAME:-wazuh-wui}"
 api_password="${API_PASSWORD:-wazuh-wui}"
 kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
 declare -A CONFIG_MAP=(
  [pattern]=$PATTERN
  [checks.pattern]=$CHECKS_PATTERN
  [checks.template]=$CHECKS_TEMPLATE
  [checks.api]=$CHECKS_API
  [checks.setup]=$CHECKS_SETUP
  [extensions.pci]=$EXTENSIONS_PCI
  [extensions.gdpr]=$EXTENSIONS_GDPR
  [extensions.hipaa]=$EXTENSIONS_HIPAA
  [extensions.nist]=$EXTENSIONS_NIST
  [extensions.tsc]=$EXTENSIONS_TSC
  [extensions.audit]=$EXTENSIONS_AUDIT
  [extensions.oscap]=$EXTENSIONS_OSCAP
  [extensions.ciscat]=$EXTENSIONS_CISCAT
  [extensions.aws]=$EXTENSIONS_AWS
  [extensions.gcp]=$EXTENSIONS_GCP
  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
  [extensions.osquery]=$EXTENSIONS_OSQUERY
  [extensions.docker]=$EXTENSIONS_DOCKER
  [timeout]=$APP_TIMEOUT
  [api.selector]=$API_SELECTOR
  [ip.selector]=$IP_SELECTOR
  [ip.ignore]=$IP_IGNORE
  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
  [admin]=$ADMIN_PRIVILEGES
 )
 for i in "${!CONFIG_MAP[@]}"
 do
    if [ "${CONFIG_MAP[$i]}" != "" ]; then
        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
    fi
 done
 CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
 grep -q 1513629884013 $kibana_config_file
 _config_exists=$?
 if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
 cat << EOF >> $kibana_config_file
 hosts:
  - 1513629884013:
      url: $wazuh_url
      port: $wazuh_port
      username: $api_username
      password: $api_password
 EOF
 else
  echo "Wazuh APP already configured"
 fi
--- a/kibana/config/wazuhapp-3.11.4_7.4.2.zip.REMOVED.git-id
+++ b/kibana/config/wazuhapp-3.11.4_7.4.2.zip.REMOVED.git-id
@@ -0,0 +1 @@
 a58d8e7a4edaa0b4aa7e5fa76e16e49f884faddf
--- a/kibana/config/welcome_wazuh.sh
+++ b/kibana/config/welcome_wazuh.sh
@@ -0,0 +1,30 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 if [[ $CHANGE_WELCOME == "true" ]]
 then
    rm -rf ./optimize/bundles
    kibana_path="/usr/share/kibana"
    # Set Wazuh app as the default landing page
    echo "Set Wazuh app as the default landing page"
    echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml
    # Redirect Kibana welcome screen to Discover
    echo "Redirect Kibana welcome screen to Discover"
    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/core/public/chrome/chrome_service.js
    # Hide management undesired links
    echo "Hide management undesired links"
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/rollup/public/crud_app/index.js
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/license_management/public/management_section.js
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_lifecycle_management/public/register_management_section.js
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/cross_cluster_replication/public/register_routes.js
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/index.js
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js
    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_management/public/register_management_section.js
 fi
--- a/kibana/config/xpack_config.sh
+++ b/kibana/config/xpack_config.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 kibana_config_file="/usr/share/kibana/config/kibana.yml"
 if grep -Fq  "#xpack features" "$kibana_config_file";
@@ -10,8 +10,12 @@ then
    [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
    [xpack.ml.enabled]=$XPACK_ML
    [xpack.canvas.enabled]=$XPACK_CANVAS
    [xpack.logstash.enabled]=$XPACK_LOGS
    [xpack.infra.enabled]=$XPACK_INFRA
    [xpack.monitoring.enabled]=$XPACK_MONITORING
    [xpack.maps.enabled]=$XPACK_MAPS
    [xpack.uptime.enabled]=$XPACK_UPTIME
    [xpack.siem.enabled]=$XPACK_SIEM
    [console.enabled]=$XPACK_DEVTOOLS
  )
  for i in "${!CONFIG_MAP[@]}"
@@ -28,8 +32,12 @@ xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
 xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
 xpack.ml.enabled: $XPACK_ML
 xpack.canvas.enabled: $XPACK_CANVAS
 xpack.logstash.enabled: $XPACK_LOGS
 xpack.infra.enabled: $XPACK_INFRA
 xpack.monitoring.enabled: $XPACK_MONITORING
 xpack.maps.enabled: $XPACK_MAPS
 xpack.uptime.enabled: $XPACK_UPTIME
 xpack.siem.enabled: $XPACK_SIEM
 console.enabled: $XPACK_DEVTOOLS
 " >> $kibana_config_file
 fi
--- a/logstash/Dockerfile
+++ b/logstash/Dockerfile
@@ -0,0 +1,46 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ARG LOGSTASH_VERSION=7.4.2
 FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
 COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
 RUN chmod 755 /entrypoint.sh
 RUN rm -f /usr/share/logstash/pipeline/logstash.conf
 ENV PIPELINE_FROM_FILE="false"
 COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
 # This CA is created for testing. Please set your own CA pem signed certificate. 
 # command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
 # ENV variables are necessary: SECURITY_CA_PEM 
 # Sample:
 # ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
 # ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
 ARG SECURITY_CA_PEM_LOCATION=""
 ARG SECURITY_CA_PEM_ARG=""
 # CA for secure communication with Elastic
 ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
 # Set permissions for CA
 USER root
 RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
 RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
 # Add entrypoint scripts
 RUN mkdir /entrypoint-scripts
 RUN chmod -R 774 /entrypoint-scripts
 RUN chown -R logstash:logstash /entrypoint-scripts
 COPY --chown=logstash:logstash ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
 COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
 COPY --chown=logstash:logstash ./config/10-entrypoint_configuration.sh ./config/10-entrypoint_configuration.sh
 RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh && \
    chmod +x /entrypoint-scripts/10-entrypoint.sh && \
    chmod +x ./config/10-entrypoint_configuration.sh
 USER logstash
 ENTRYPOINT /entrypoint.sh
--- a/logstash/config/01-wazuh.conf
+++ b/logstash/config/01-wazuh.conf
@@ -0,0 +1,64 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # Wazuh - Logstash configuration file
 ## Remote Wazuh Manager - Filebeat input
 input {
    beats {
        port => 5000
 #       ssl => true
 #       ssl_certificate => "/etc/logstash/logstash.crt"
 #       ssl_key => "/etc/logstash/logstash.key"
    }
 }
 filter {
    json {
      source => "message"
    }
 }
 filter {
    if [data][srcip] {
        mutate {
            add_field => [ "@src_ip", "%{[data][srcip]}" ]
        }
    }
    if [data][aws][sourceIPAddress] {
        mutate {
            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
        }
    }
 }
 filter {
    geoip {
        source => "@src_ip"
        target => "GeoLocation"
        fields => ["city_name", "country_name", "region_name", "location"]
    }
    date {
        match => ["timestamp", "ISO8601"]
        target => "@timestamp"
    }
    mutate {
        remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
    }
 }
 filter {
    # Workarounds for vulnerability-detector
    if "vulnerability-detector" in [rule][groups] {
        # Drop vulnerability-detector events from Manager
        if [agent][id] == "000"{
            drop { }
        }
        # if exists, remove data.vulnerability.published field due to conflicts
        if [data][vulnerability][published] {
            mutate {
                remove_field => [ "[data][vulnerability][published]" ]
            }
        }
    }
 }
 output {
    elasticsearch {
        hosts => ["elasticsearch:9200"]
        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
    }
 }
--- a/logstash/config/05-decrypt_credentials.sh
+++ b/logstash/config/05-decrypt_credentials.sh
@@ -0,0 +1,15 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Decrypt credentials.
 # If the credentials of the users to be created are encrypted,
 # they must be decrypted for later use. 
 ##############################################################################
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
    echo "Security credentials file not used. Nothing to do."
 else
    echo "TO DO"
 fi
 # TO DO
--- a/logstash/config/10-entrypoint.sh
+++ b/logstash/config/10-entrypoint.sh
@@ -0,0 +1,163 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 #
 # OSSEC container bootstrap. See the README for information of the environment
 # variables expected by this script.
 #
 set -e
 ##############################################################################
 # Set elasticsearch url.
 ##############################################################################
 if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
  el_url="http://elasticsearch:9200"
 else
  el_url="${ELASTICSEARCH_URL}"
 fi
 echo "ENTRYPOINT - Elasticsearch url: $el_url"
 ##############################################################################
 # Get Logstash credentials.
 ##############################################################################
 LOGSTASH_USER=""
 LOGSTASH_PASS=""
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
 else
  input=${SECURITY_CREDENTIALS_FILE}
  while IFS= read -r line
  do
    if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
      arrIN=(${line//:/ })
      LOGSTASH_PASS=${arrIN[1]}
    elif [[ $line == *"LOGSTASH_USER"* ]]; then
      arrIN=(${line//:/ })
      LOGSTASH_USER=${arrIN[1]}
    fi
  done < "$input"
 fi
 echo "ENTRYPOINT - Logstash credentials obtained."
 ##############################################################################
 # Set authentication for curl command. 
 ##############################################################################
 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
 elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
  auth=""
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
 fi
 echo "ENTRYPOINT - curl authentication established"
 ##############################################################################
 # Customize logstash output ip.
 ##############################################################################
 if [ "$LOGSTASH_OUTPUT" != "" ]; then
  >&2 echo "ENTRYPOINT - Customize Logstash ouput ip."
  sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
  if [[ "$PIPELINE_FROM_FILE" == "false" ]]; then
    sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
  fi
 fi
 ##############################################################################
 # Waiting for elasticsearch.
 ##############################################################################
 until curl $auth -XGET $el_url; do
  >&2 echo "ENTRYPOINT - Elastic is unavailable - sleeping."
  sleep 5
 done
 sleep 2
 >&2 echo "ENTRYPOINT - Elasticsearch is up."
 ##############################################################################
 # Create keystore if security is enabled.
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
  echo "ENTRYPOINT - Create Keystore."
  ## Create secure keystore
  SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
  export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
  /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
  ## Settings for logstash.yml
  bash /usr/share/logstash/config/10-entrypoint_configuration.sh 
  ## Add keys to the keystore
  echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
  echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
 fi
 ##############################################################################
 # Waiting for wazuh alerts template
 ##############################################################################
 strlen=0
 while [[ $strlen -eq 0 ]]
 do
  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
  strlen=${#template}
  >&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
  sleep 2
 done
 sleep 2
 >&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
 ##############################################################################
 # Remove credentials file
 ##############################################################################
 >&2 echo "ENTRYPOINT - Removing unnecessary files."
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  echo "ENTRYPOINT - Security credentials file not used. Nothing to do."
 else
  shred -zvu ${SECURITY_CREDENTIALS_FILE}
 fi
 >&2 echo "ENTRYPOINT - Unnecessary files removed."
 ##############################################################################
 # Map environment variables to entries in logstash.yml.
 # Note that this will mutate logstash.yml in place if any such settings are found.
 # This may be undesirable, especially if logstash.yml is bind-mounted from the
 # host system.
 ##############################################################################
 env2yaml /usr/share/logstash/config/logstash.yml
 export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
 if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
  exec logstash "$@"
 else
  exec "$@"
 fi
--- a/logstash/config/10-entrypoint_configuration.sh
+++ b/logstash/config/10-entrypoint_configuration.sh
@@ -0,0 +1,27 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 #
 # OSSEC container bootstrap. See the README for information of the environment
 # variables expected by this script.
 #
 set -e
 ##############################################################################
 # Adapt logstash.yml configuration. 
 ##############################################################################
 if [[ $SECURITY_ENABLED == "yes" ]]; then
    echo "CONFIGURATION - TO DO"
    # Settings for logstash.yml
    # Example:
    #   echo "
    # xpack.monitoring.enabled: true
    # xpack.monitoring.elasticsearch.username: LOGSTASH_USER
    # xpack.monitoring.elasticsearch.password: LOGSTASH_PASS
    # xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/CA.pem
    # " >> /usr/share/logstash/config/logstash.yml
 fi
--- a/logstash/config/entrypoint.sh
+++ b/logstash/config/entrypoint.sh
@@ -0,0 +1,8 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
  bash "$script"
 done
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -0,0 +1,19 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM nginx:latest
 ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && apt-get install -y openssl apache2-utils
 COPY config/entrypoint.sh /entrypoint.sh
 RUN chmod 755 /entrypoint.sh
 RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 VOLUME ["/etc/nginx/conf.d"]
 ENV NGINX_NAME="foo" \
    NGINX_PWD="bar"
 ENTRYPOINT /entrypoint.sh
--- a/nginx/config/entrypoint.sh
+++ b/nginx/config/entrypoint.sh
@@ -0,0 +1,79 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 # Generating certificates.
 if [ ! -d /etc/nginx/conf.d/ssl ]; then
  echo "Generating SSL certificates"
  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
 else
  echo "SSL certificates already present"
 fi
 # Setting users credentials.
 # In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
 #
 # a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
 #    export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
 #
 # b) Set NGINX_CREDENTIALS in docker-compose.yml:
 #    NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
 #    NGINX_CREDENTIALS=user1:pass1;user2:pass2
 #
 if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
  echo "Setting users credentials"
  if [ ! -z "$NGINX_CREDENTIALS" ]; then
    IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
    for index in "${!users[@]}"
    do
      IFS=':' read -r -a credentials <<< "${users[index]}"
      if [ $index -eq 0 ]; then
        echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
      else
        echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd  ${credentials[0]} >/dev/null
      fi
    done
  else
    # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile 
    echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
  fi
 else
  echo "Kibana credentials already configured"
 fi
 if [ "x${NGINX_PORT}" = "x" ]; then
  NGINX_PORT=443
 fi
 if [ "x${KIBANA_HOST}" = "x" ]; then
  KIBANA_HOST="kibana:5601"
 fi
 echo "Configuring NGINX"
 cat > /etc/nginx/conf.d/default.conf <<EOF
 server {
    listen 80;
    listen [::]:80;
    return 301 https://\$host:${NGINX_PORT}\$request_uri;
 }
 server {
    listen ${NGINX_PORT} default_server;
    listen [::]:${NGINX_PORT};
    ssl on;
    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
        proxy_pass http://${KIBANA_HOST}/;
        proxy_buffer_size          128k;
        proxy_buffers              4 256k;
        proxy_busy_buffers_size    256k;
    }
 }
 EOF
 nginx -g 'daemon off;'
--- a/production-cluster.yml
+++ b/production-cluster.yml
@@ -1,206 +0,0 @@
 # Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 version: '3.7'
 services:
  wazuh-master:
    image: wazuh/wazuh-odfe:4.2.3
    hostname: wazuh-master
    restart: always
    ports:
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - ELASTICSEARCH_URL=https://elasticsearch:9200
      - ELASTIC_USERNAME=admin
      - ELASTIC_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=acme-user
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - ossec-api-configuration:/var/ossec/api/configuration
      - ossec-etc:/var/ossec/etc
      - ossec-logs:/var/ossec/logs
      - ossec-queue:/var/ossec/queue
      - ossec-var-multigroups:/var/ossec/var/multigroups
      - ossec-integrations:/var/ossec/integrations
      - ossec-active-response:/var/ossec/active-response/bin
      - ossec-agentless:/var/ossec/agentless
      - ossec-wodles:/var/ossec/wodles
      - filebeat-etc:/etc/filebeat
      - filebeat-var:/var/lib/filebeat
      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
      - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
  wazuh-worker:
    image: wazuh/wazuh-odfe:4.2.3
    hostname: wazuh-worker
    restart: always
    environment:
      - ELASTICSEARCH_URL=https://elasticsearch:9200
      - ELASTIC_USERNAME=admin
      - ELASTIC_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
    volumes:
      - worker-ossec-api-configuration:/var/ossec/api/configuration
      - worker-ossec-etc:/var/ossec/etc
      - worker-ossec-logs:/var/ossec/logs
      - worker-ossec-queue:/var/ossec/queue
      - worker-ossec-var-multigroups:/var/ossec/var/multigroups
      - worker-ossec-integrations:/var/ossec/integrations
      - worker-ossec-active-response:/var/ossec/active-response/bin
      - worker-ossec-agentless:/var/ossec/agentless
      - worker-ossec-wodles:/var/ossec/wodles
      - worker-filebeat-etc:/etc/filebeat
      - worker-filebeat-var:/var/lib/filebeat
      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
      - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
  elasticsearch:
    image: amazon/opendistro-for-elasticsearch:1.13.2
    hostname: elasticsearch
    restart: always
    ports:
      - "9200:9200"
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - elastic-data-1:/usr/share/elasticsearch/data
      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
      - ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key
      - ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem
      - ./production_cluster/ssl_certs/admin.pem:/usr/share/elasticsearch/config/admin.pem
      - ./production_cluster/ssl_certs/admin.key:/usr/share/elasticsearch/config/admin.key
      - ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
  elasticsearch-2:
    image: amazon/opendistro-for-elasticsearch:1.13.2
    hostname: elasticsearch-2
    restart: always
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - elastic-data-2:/usr/share/elasticsearch/data
      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
      - ./production_cluster/ssl_certs/node2.key:/usr/share/elasticsearch/config/node2.key
      - ./production_cluster/ssl_certs/node2.pem:/usr/share/elasticsearch/config/node2.pem
      - ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
  elasticsearch-3:
    image: amazon/opendistro-for-elasticsearch:1.13.2
    hostname: elasticsearch-3
    restart: always
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - elastic-data-3:/usr/share/elasticsearch/data
      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
      - ./production_cluster/ssl_certs/node3.key:/usr/share/elasticsearch/config/node3.key
      - ./production_cluster/ssl_certs/node3.pem:/usr/share/elasticsearch/config/node3.pem
      - ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
  kibana:
    image: wazuh/wazuh-kibana-odfe:4.2.3
    hostname: kibana
    restart: always
    ports:
      - 5601:5601
    environment:
      - ELASTICSEARCH_USERNAME=admin
      - ELASTICSEARCH_PASSWORD=SecretPassword
      - SERVER_SSL_ENABLED=true
      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem
      - SERVER_SSL_KEY=/usr/share/kibana/config/key.pem
      - WAZUH_API_URL="https://wazuh-master"
      - API_USERNAME=acme-user
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem
      - ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem
    depends_on:
      - elasticsearch
    links:
      - elasticsearch:elasticsearch
      - wazuh-master:wazuh-master
  nginx:
    image: nginx:stable
    hostname: nginx
    restart: always
    ports:
      - "80:80"
      - "443:443"
      - "1514:1514"
    depends_on:
      - wazuh-master
      - wazuh-worker
      - kibana
    links:
      - wazuh-master:wazuh-master
      - wazuh-worker:wazuh-worker
      - kibana:kibana
    volumes:
      - ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
 volumes:
  ossec-api-configuration:
  ossec-etc:
  ossec-logs:
  ossec-queue:
  ossec-var-multigroups:
  ossec-integrations:
  ossec-active-response:
  ossec-agentless:
  ossec-wodles:
  filebeat-etc:
  filebeat-var:
  worker-ossec-api-configuration:
  worker-ossec-etc:
  worker-ossec-logs:
  worker-ossec-queue:
  worker-ossec-var-multigroups:
  worker-ossec-integrations:
  worker-ossec-active-response:
  worker-ossec-agentless:
  worker-ossec-wodles:
  worker-filebeat-etc:
  worker-filebeat-var:
  elastic-data-1:
  elastic-data-2:
  elastic-data-3:
--- a/production_cluster/elastic_opendistro/elasticsearch-node1.yml
+++ b/production_cluster/elastic_opendistro/elasticsearch-node1.yml
@@ -1,31 +0,0 @@
 network.host: 0.0.0.0
 cluster.name: wazuh-cluster
 node.name: elasticsearch
 discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
 cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
 bootstrap.memory_lock: true
 opendistro_security.ssl.transport.pemcert_filepath: node1.pem
 opendistro_security.ssl.transport.pemkey_filepath: node1.key
 opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
 opendistro_security.ssl.transport.enforce_hostname_verification: false
 opendistro_security.ssl.transport.resolve_hostname: false
 opendistro_security.ssl.http.enabled: true
 opendistro_security.ssl.http.pemcert_filepath: node1.pem
 opendistro_security.ssl.http.pemkey_filepath: node1.key
 opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
 opendistro_security.allow_default_init_securityindex: true
 opendistro_security.nodes_dn:
    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
 opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
 opendistro_security.audit.type: internal_elasticsearch
 opendistro_security.enable_snapshot_restore_privilege: true
 opendistro_security.check_snapshot_restore_write_privileges: true
 opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
 cluster.routing.allocation.disk.threshold_enabled: false
 #opendistro_security.audit.config.disabled_rest_categories: NONE
 #opendistro_security.audit.config.disabled_transport_categories: NONE
 opendistro_security.audit.log_request_body: false
--- a/production_cluster/elastic_opendistro/elasticsearch-node2.yml
+++ b/production_cluster/elastic_opendistro/elasticsearch-node2.yml
@@ -1,31 +0,0 @@
 network.host: 0.0.0.0
 cluster.name: wazuh-cluster
 node.name: elasticsearch-2
 discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
 cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
 bootstrap.memory_lock: true
 opendistro_security.ssl.transport.pemcert_filepath: node2.pem
 opendistro_security.ssl.transport.pemkey_filepath: node2.key
 opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
 opendistro_security.ssl.transport.enforce_hostname_verification: false
 opendistro_security.ssl.transport.resolve_hostname: false
 opendistro_security.ssl.http.enabled: true
 opendistro_security.ssl.http.pemcert_filepath: node2.pem
 opendistro_security.ssl.http.pemkey_filepath: node2.key
 opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
 opendistro_security.allow_default_init_securityindex: true
 opendistro_security.nodes_dn:
    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
 opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
 opendistro_security.audit.type: internal_elasticsearch
 opendistro_security.enable_snapshot_restore_privilege: true
 opendistro_security.check_snapshot_restore_write_privileges: true
 opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
 cluster.routing.allocation.disk.threshold_enabled: false
 #opendistro_security.audit.config.disabled_rest_categories: NONE
 #opendistro_security.audit.config.disabled_transport_categories: NONE
 opendistro_security.audit.log_request_body: false
--- a/production_cluster/elastic_opendistro/elasticsearch-node3.yml
+++ b/production_cluster/elastic_opendistro/elasticsearch-node3.yml
@@ -1,31 +0,0 @@
 network.host: 0.0.0.0
 cluster.name: wazuh-cluster
 node.name: elasticsearch-3
 discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
 cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
 bootstrap.memory_lock: true
 opendistro_security.ssl.transport.pemcert_filepath: node3.pem
 opendistro_security.ssl.transport.pemkey_filepath: node3.key
 opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
 opendistro_security.ssl.transport.enforce_hostname_verification: false
 opendistro_security.ssl.transport.resolve_hostname: false
 opendistro_security.ssl.http.enabled: true
 opendistro_security.ssl.http.pemcert_filepath: node3.pem
 opendistro_security.ssl.http.pemkey_filepath: node3.key
 opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
 opendistro_security.allow_default_init_securityindex: true
 opendistro_security.nodes_dn:
    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
 opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
 opendistro_security.audit.type: internal_elasticsearch
 opendistro_security.enable_snapshot_restore_privilege: true
 opendistro_security.check_snapshot_restore_write_privileges: true
 opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
 cluster.routing.allocation.disk.threshold_enabled: false
 #opendistro_security.audit.config.disabled_rest_categories: NONE
 #opendistro_security.audit.config.disabled_transport_categories: NONE
 opendistro_security.audit.log_request_body: false
--- a/production_cluster/elastic_opendistro/internal_users.yml
+++ b/production_cluster/elastic_opendistro/internal_users.yml
@@ -1,56 +0,0 @@
 ---
 # This is the internal user database
 # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
 _meta:
  type: "internalusers"
  config_version: 2
 # Define your internal users here
 ## Demo users
 admin:
  hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"
 kibanaserver:
  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
  reserved: true
  description: "Demo kibanaserver user"
 kibanaro:
  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo kibanaro user"
 logstash:
  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user"
 readall:
  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user"
 snapshotrestore:
  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user"
--- a/production_cluster/kibana_ssl/generate-self-signed-cert.sh
+++ b/production_cluster/kibana_ssl/generate-self-signed-cert.sh
@@ -1,13 +0,0 @@
 #!/bin/bash
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 cd $DIR
 if [ -s key.pem ]
 then
    echo "Certificate already exists"
    exit
 else
    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
    chown -R 1000:1000 *.pem
 fi
--- a/production_cluster/nginx/nginx.conf
+++ b/production_cluster/nginx/nginx.conf
@@ -1,67 +0,0 @@
 user  nginx;
 worker_processes  1;
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 events {
    worker_connections  1024;
 }
 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    tcp_nopush     on;
    keepalive_timeout  65;
    server_tokens off;
    gzip  on;
    # kibana UI
    server {
        listen 80;
        listen [::]:80;
        return 301 https://$host:443$request_uri;
    }
    server {
        listen 443 default_server ssl http2;
        listen [::]:443 ssl http2;
        ssl_certificate /etc/nginx/ssl/cert.pem;
        ssl_certificate_key /etc/nginx/ssl/key.pem;
        location / {
            proxy_pass https://kibana:5601/;
            proxy_ssl_verify off;
            proxy_buffer_size          128k;
            proxy_buffers              4 256k;
            proxy_busy_buffers_size    256k;
        }
    }
 }
 # load balancer for Wazuh cluster
 stream {
    upstream mycluster {
        hash $remote_addr consistent;
        server wazuh-master:1514;
        server wazuh-worker:1514;
    }
    server {
        listen 1514;
        proxy_pass mycluster;
    }
 }
--- a/production_cluster/nginx/ssl/generate-self-signed-cert.sh
+++ b/production_cluster/nginx/ssl/generate-self-signed-cert.sh
@@ -1,12 +0,0 @@
 #!/bin/bash
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 cd $DIR
 if [ -s key.pem ]
 then
    echo "Certificate already exists"
    exit
 else
    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
 fi
--- a/production_cluster/ssl_certs/certs.yml
+++ b/production_cluster/ssl_certs/certs.yml
@@ -1,35 +0,0 @@
 ca:
   root:
      dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
      pkPassword: none
      keysize: 2048
      file: root-ca.pem 
   intermediate:
      dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
      keysize: 2048
      validityDays: 3650  
      pkPassword: intermediate-ca-password
      file: intermediate-ca.pem
 nodes:
  - name: node1
    dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
    dns: 
      - elasticsearch
  - name: node2
    dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
    dns: 
      - elasticsearch-2
  - name: node3
    dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
    dns: 
      - elasticsearch-3
  - name: filebeat
    dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
    dns: 
      - wazuh
 clients:
  - name: admin
    dn: CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com
    admin: true
--- a/production_cluster/wazuh_cluster/wazuh_manager.conf
+++ b/production_cluster/wazuh_cluster/wazuh_manager.conf
@@ -1,349 +0,0 @@
 <ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>ossecm@example.wazuh.com</email_from>
    <email_to>recipient@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
  </global>
  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>
  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>
  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>
  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>
    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
    <skip_nfs>yes</skip_nfs>
  </rootcheck>
  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>
  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>
  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>
  <vulnerability-detector>
    <enabled>no</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>
    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>no</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <update_interval>1h</update_interval>
    </provider>
    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>no</enabled>
      <os>stretch</os>
      <os>buster</os>
      <update_interval>1h</update_interval>
    </provider>
    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>no</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <update_interval>1h</update_interval>
    </provider>
    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>
    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
  </vulnerability-detector>
  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>
    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>
    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>
    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>
    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>
    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>
    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>
    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>
    <!-- Maximum output throughput -->
    <max_eps>100</max_eps>
    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_interval>1h</max_interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>
  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>4.2.3.1</white_list>
    <white_list>4.2.3.2</white_list>
    <white_list>208.67.220.220</white_list>
  </global>
  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>
  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>route-null</name>
    <executable>route-null.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>win_route-null</name>
    <executable>route-null.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>win_route-null-2012</name>
    <executable>route-null-2012.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>netsh</name>
    <executable>netsh.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>netsh-win-2016</name>
    <executable>netsh-win-2016.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <!--
  <active-response>
    active-response options here
  </active-response>
  -->
  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>
  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>
  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <force_insert>yes</force_insert>
    <force_time>0</force_time>
    <purge>yes</purge>
    <use_password>no</use_password>
    <limit_maxagents>yes</limit_maxagents>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>
  <cluster>
    <name>wazuh</name>
    <node_name>manager</node_name>
    <node_type>master</node_type>
    <key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>wazuh-master</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>
 </ossec_config>
 <ossec_config>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>
 </ossec_config>
--- a/production_cluster/wazuh_cluster/wazuh_worker.conf
+++ b/production_cluster/wazuh_cluster/wazuh_worker.conf
@@ -1,349 +0,0 @@
 <ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>ossecm@example.wazuh.com</email_from>
    <email_to>recipient@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
  </global>
  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>
  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>
  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>
  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>
    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
    <skip_nfs>yes</skip_nfs>
  </rootcheck>
  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>
  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>
  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>
  <vulnerability-detector>
    <enabled>no</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>
    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>no</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <update_interval>1h</update_interval>
    </provider>
    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>no</enabled>
      <os>stretch</os>
      <os>buster</os>
      <update_interval>1h</update_interval>
    </provider>
    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>no</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <update_interval>1h</update_interval>
    </provider>
    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>
    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
  </vulnerability-detector>
  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>
    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>
    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>
    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>
    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>
    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>
    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>
    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>
    <!-- Maximum output throughput -->
    <max_eps>100</max_eps>
    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_interval>1h</max_interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>
  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>4.2.3.1</white_list>
    <white_list>4.2.3.2</white_list>
    <white_list>208.67.220.220</white_list>
  </global>
  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>
  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>route-null</name>
    <executable>route-null.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>win_route-null</name>
    <executable>route-null.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>win_route-null-2012</name>
    <executable>route-null-2012.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>netsh</name>
    <executable>netsh.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>netsh-win-2016</name>
    <executable>netsh-win-2016.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <!--
  <active-response>
    active-response options here
  </active-response>
  -->
  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>
  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>
  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <force_insert>yes</force_insert>
    <force_time>0</force_time>
    <purge>yes</purge>
    <use_password>no</use_password>
    <limit_maxagents>yes</limit_maxagents>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>
  <cluster>
    <name>wazuh</name>
    <node_name>worker01</node_name>
    <node_type>worker</node_type>
    <key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>wazuh-master</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>
 </ossec_config>
 <ossec_config>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>
 </ossec_config>
--- a/wazuh-odfe/Dockerfile
+++ b/wazuh-odfe/Dockerfile
@@ -1,54 +0,0 @@
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 FROM centos:7
 ARG FILEBEAT_CHANNEL=filebeat-oss
 ARG FILEBEAT_VERSION=7.10.2
 ARG WAZUH_VERSION=4.2.3
 ARG TEMPLATE_VERSION="master"
 ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
 # Set repositories.
 RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
 COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
 RUN yum --enablerepo=updates clean metadata && \
  yum -y install openssl which expect openssh-clients && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
  sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
  yum clean all && rm -rf /var/cache/yum
 RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
  rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm
 RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
 RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss
 ARG S6_VERSION="v2.2.0.3"
 RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
    -o /tmp/s6-overlay-amd64.tar.gz && \
    tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
    tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
    rm  /tmp/s6-overlay-amd64.tar.gz
 COPY config/filebeat.yml /etc/filebeat/
 RUN chmod go-w /etc/filebeat/filebeat.yml
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
 RUN chmod go-w /etc/filebeat/wazuh-template.json
 COPY config/etc/ /etc/
 COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
 # Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 COPY config/permanent_data.env config/permanent_data.sh /
 RUN chmod 755 /permanent_data.sh && \
    sync && /permanent_data.sh && \
    sync && rm /permanent_data.sh
 # Services ports
 EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
 ENTRYPOINT [ "/init" ]
--- a/wazuh-odfe/config/create_user.py
+++ b/wazuh-odfe/config/create_user.py
@@ -1,97 +0,0 @@
 import logging
 import sys
 import json
 import random
 import string
 import os
 # Set framework path
 sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
 USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
 SPECIAL_CHARS = "@$!%*?&-_"
 try:
    from wazuh.security import (
        create_user,
        get_users,
        get_roles,
        set_user_role,
        update_user,
    )
 except Exception as e:
    logging.error("No module 'wazuh' found.")
    sys.exit(1)
 def read_user_file(path=USER_FILE_PATH):
    with open(path) as user_file:
        data = json.load(user_file)
        return data["username"], data["password"]
 def db_users():
    users_result = get_users()
    return {user["username"]: user["id"] for user in users_result.affected_items}
 def db_roles():
    roles_result = get_roles()
    return {role["name"]: role["id"] for role in roles_result.affected_items}
 def disable_user(uid):
    random_pass = "".join(
                random.choices(
                    string.ascii_uppercase
                    + string.ascii_lowercase
                    + string.digits
                    + SPECIAL_CHARS,
                    k=8,
                )
            )
    # assure there must be at least one character from each group
    random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
    random_pass = ''.join(random.sample(random_pass,len(random_pass)))
    update_user(
        user_id=[
            str(uid),
        ],
        password=random_pass,
    )
 if __name__ == "__main__":
    if not os.path.exists(USER_FILE_PATH):
        # abort if no user file detected
        sys.exit(0)
    username, password = read_user_file()
    initial_users = db_users()
    if username not in initial_users:
        # create a new user
        create_user(username=username, password=password)
        users = db_users()
        uid = users[username]
        roles = db_roles()
        rid = roles["administrator"]
        set_user_role(
            user_id=[
                str(uid),
            ],
            role_ids=[
                str(rid),
            ],
        )
    else:
        # modify an existing user ("wazuh" or "wazuh-wui")
        uid = initial_users[username]
        update_user(
            user_id=[
                str(uid),
            ],
            password=password,
        )
    # disable unused default users
    for def_user in ['wazuh', 'wazuh-wui']:
        if def_user != username:
            disable_user(initial_users[def_user])
--- a/wazuh-odfe/config/etc/cont-init.d/1-config-filebeat
+++ b/wazuh-odfe/config/etc/cont-init.d/1-config-filebeat
@@ -1,45 +0,0 @@
 #!/usr/bin/with-contenv bash
 # Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 set -e
 if [ "$ELASTICSEARCH_URL" != "" ]; then
  >&2 echo "Customize Elasticsearch ouput IP"
  sed -i "s|hosts:.*|hosts: ['$ELASTICSEARCH_URL']|g" /etc/filebeat/filebeat.yml
 fi
 # Configure filebeat.yml security settings
 if [ "$ELASTIC_USERNAME" != "" ]; then
  >&2 echo "Configuring username."
  sed -i "s|#username:.*|username: '$ELASTIC_USERNAME'|g" /etc/filebeat/filebeat.yml
 fi
 if [ "$ELASTIC_PASSWORD" != "" ]; then
  >&2 echo "Configuring password."
  sed -i "s|#password:.*|password: '$ELASTIC_PASSWORD'|g" /etc/filebeat/filebeat.yml
 fi
 if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then
  >&2 echo "Configuring SSL verification mode."
  sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode: $FILEBEAT_SSL_VERIFICATION_MODE|g" /etc/filebeat/filebeat.yml
 fi
 if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
  >&2 echo "Configuring Certificate Authorities."
  sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml
 fi
 if [ "$SSL_CERTIFICATE" != "" ]; then
  >&2 echo "Configuring SSL Certificate."
  sed -i "s|#ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml
 fi
 if [ "$SSL_KEY" != "" ]; then
  >&2 echo "Configuring SSL Key."
  sed -i "s|#ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml
 fi
 chmod go-w /etc/filebeat/filebeat.yml || true
 chown root: /etc/filebeat/filebeat.yml || true
--- a/wazuh-odfe/config/etc/cont-init.d/2-manager
+++ b/wazuh-odfe/config/etc/cont-init.d/2-manager
@@ -1,126 +0,0 @@
 #!/usr/bin/with-contenv bash
 ##############################################################################
 # Migration sequence
 # Detect if there is a mounted volume on /wazuh-migration and copy the data
 # to /var/ossec, finally it will create a flag ".migration-completed" inside
 # the mounted volume
 ##############################################################################
 function __colortext()
 {
  echo -e " \e[1;$2m$1\e[0m"
 }
 function echogreen()
 {
  echo $(__colortext "$1" "32")
 }
 function echoyellow()
 {
  echo $(__colortext "$1" "33")
 }
 function echored()
 {
  echo $(__colortext "$1" "31")
 }
 function_wazuh_migration(){
  if [ -d "/wazuh-migration" ]; then
    if [ ! -e /wazuh-migration/.migration-completed ]; then
      if [ ! -e /wazuh-migration/global.db ]; then
        echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
        return
      fi
      \cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
      chown root:ossec /var/ossec/etc/ossec.conf
      chmod 640 /var/ossec/etc/ossec.conf
      \cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
      chown ossec:ossec /var/ossec/etc/client.keys
      chmod 640 /var/ossec/etc/client.keys
      \cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
      \cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
      chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
      chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
      \cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
      chown ossec:ossec /var/ossec/etc/shared/default/agent.conf
      chmod 660 /var/ossec/etc/shared/default/agent.conf
      \cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
      chown ossec:ossec /var/ossec/etc/decoders/*
      chmod 660 /var/ossec/etc/decoders/*
      \cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
      chown ossec:ossec /var/ossec/etc/rules/*
      chmod 660 /var/ossec/etc/rules/*
      if [ -e /wazuh-migration/data/agentless/.passlist ]; then
        \cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
        chown root:ossec /var/ossec/agentless/.passlist
        chmod 640 /var/ossec/agentless/.passlist
      fi
      \cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
      chown ossec:ossec /var/ossec/queue/db/global.db
      chmod 640 /var/ossec/queue/db/global.db
      # mark volume as migrated
      touch /wazuh-migration/.migration-completed
      echogreen "Migration completed succesfully"
    else
      echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
    fi
  fi
 }
 function_create_custom_user() {
  if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then
  cat << EOF > /var/ossec/api/configuration/admin.json
 {
  "username": "$API_USERNAME",
  "password": "$API_PASSWORD"
 }
 EOF
    # create or customize API user
    if /var/ossec/framework/python/bin/python3  /var/ossec/framework/scripts/create_user.py; then
      # remove json if exit code is 0
      rm /var/ossec/api/configuration/admin.json
    else
      echored "There was an error configuring the API user"
      # terminate container to avoid unpredictable behavior
      exec s6-svscanctl -t /var/run/s6/services
      exit 1
    fi
  fi
 }
 function_entrypoint_scripts() {
  # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
  if [ -d "/entrypoint-scripts/" ]
  then
    for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
      bash "$script"
    done
  fi
 }
 # Migrate data from /wazuh-migration volume
 function_wazuh_migration
 # create API custom user
 function_create_custom_user
 # run entrypoint scripts
 function_entrypoint_scripts
 # Start Wazuh
 /var/ossec/bin/wazuh-control start
--- a/wazuh-odfe/config/etc/services.d/filebeat/finish
+++ b/wazuh-odfe/config/etc/services.d/filebeat/finish
@@ -1,6 +0,0 @@
 #!/usr/bin/env sh
 echo >&2 "Filebeat exited. code=${1}"
 # terminate other services to exit from the container
 exec s6-svscanctl -t /var/run/s6/services
--- a/wazuh-odfe/config/etc/services.d/filebeat/run
+++ b/wazuh-odfe/config/etc/services.d/filebeat/run
@@ -1,4 +0,0 @@
 #!/usr/bin/with-contenv sh
 echo >&2 "starting Filebeat"
 exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
--- a/wazuh-odfe/config/etc/services.d/ossec-logs/run
+++ b/wazuh-odfe/config/etc/services.d/ossec-logs/run
@@ -1,4 +0,0 @@
 #!/usr/bin/with-contenv sh
 # dumping ossec.log to standard output
 exec tail -f /var/ossec/logs/ossec.log
--- a/wazuh-odfe/config/filebeat.yml
+++ b/wazuh-odfe/config/filebeat.yml
@@ -1,22 +0,0 @@
 # Wazuh - Filebeat configuration file
 filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
 setup.template.json.enabled: true
 setup.template.json.path: '/etc/filebeat/wazuh-template.json'
 setup.template.json.name: 'wazuh'
 setup.template.overwrite: true
 setup.ilm.enabled: false
 output.elasticsearch:
  hosts: ['https://elasticsearch:9200']
  #username:
  #password:
  #ssl.verification_mode:
  #ssl.certificate_authorities:
  #ssl.certificate:
  #ssl.key:
--- a/wazuh-odfe/config/wazuh.repo
+++ b/wazuh-odfe/config/wazuh.repo
@@ -1,7 +0,0 @@
 [wazuh_repo]
 gpgcheck=1
 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
 enabled=1
 name=Wazuh repository
 baseurl=https://packages.wazuh.com/4.x/yum/
 protect=1
--- a/wazuh/Dockerfile
+++ b/wazuh/Dockerfile
@@ -0,0 +1,134 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
 # Arguments
 ARG FILEBEAT_VERSION=7.4.2
 ARG WAZUH_VERSION=3.11.5-1
 # Environment variables
 ENV API_USER="foo" \
   API_PASS="bar"
 ARG TEMPLATE_VERSION="v3.11.5"
 ENV FILEBEAT_DESTINATION="elasticsearch"
 COPY config/wazuh-manager_3.11.5-1_amd64.deb /wazuh-manager_3.11.5-1_amd64.deb
 COPY config/wazuh-api_3.11.5-1_amd64.deb /wazuh-api_3.11.5-1_amd64.deb
 # Install packages
 RUN set -x && \
    echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
    curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
    echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
    echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
    groupadd -g 1000 ossec && \
    useradd -u 1000 -g 1000 -d /var/ossec ossec && \
    add-apt-repository universe && \
    apt-get update && \
    apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
    apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
    apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
 #   apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
    dpkg -i /wazuh-manager_3.11.5-1_amd64.deb && apt-get install -f && \
 #   apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
    apt-get --no-install-recommends --no-install-suggests -y install nodejs && \
    dpkg -i /wazuh-api_3.11.5-1_amd64.deb && apt-get install -f && \
 #   Disable updates to this package
    echo "wazuh-manager hold" | dpkg --set-selections && \
    echo "wazuh-api hold" | dpkg --set-selections && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
    rm -f /var/ossec/logs/alerts/*/*/* && \
    rm -f /var/ossec/logs/archives/*/*/* && \
    rm -f /var/ossec/logs/firewall/*/*/* && \
    rm -f /var/ossec/logs/api/*/*/* && \
    rm -f /var/ossec/logs/cluster/*/*/* && \
    rm -f /var/ossec/logs/ossec/*/*/* && \
    rm /var/ossec/var/run/* && \
    rm /wazuh-manager_3.11.5-1_amd64.deb && \
    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
 # Services
 RUN mkdir /etc/service/wazuh && \
   mkdir /etc/service/wazuh-api && \
   mkdir /etc/service/postfix && \
   mkdir /etc/service/filebeat
 COPY config/wazuh.runit.service /etc/service/wazuh/run
 COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
 COPY config/postfix.runit.service /etc/service/postfix/run
 COPY config/filebeat.runit.service /etc/service/filebeat/run
 RUN chmod +x /etc/service/wazuh-api/run && \
   chmod +x /etc/service/wazuh/run && \
   chmod +x /etc/service/postfix/run && \
   chmod +x /etc/service/filebeat/run 
 # Copy configuration files from repository
 COPY config/filebeat_to_elasticsearch.yml ./
 COPY config/filebeat_to_logstash.yml ./
 # Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 COPY config/permanent_data.env /permanent_data.env
 COPY config/permanent_data.sh /permanent_data.sh
 RUN chmod 755 /permanent_data.sh && \
    sync && \
    /permanent_data.sh && \
    sync && \
    rm /permanent_data.sh 
 # Expose ports
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
 # Setting volumes
 # Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
 # to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
 VOLUME ["/var/ossec/api/configuration"]
 VOLUME ["/var/ossec/etc"]
 VOLUME ["/var/ossec/logs"]
 VOLUME ["/var/ossec/queue"]
 VOLUME ["/var/ossec/var/multigroups"]
 VOLUME ["/var/ossec/integrations"]
 VOLUME ["/var/ossec/active-response/bin"]
 VOLUME ["/var/ossec/wodles"]
 VOLUME ["/etc/filebeat"]
 VOLUME ["/etc/postfix"]
 VOLUME ["/var/lib/filebeat"]
 # Prepare entrypoint scripts
 # Entrypoint scripts must be added to the entrypoint-scripts directory
 RUN mkdir /entrypoint-scripts
 COPY config/entrypoint.sh /entrypoint.sh
 COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
 COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
 COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
 COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
 COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
 COPY config/25-backups.sh /entrypoint-scripts/25-backups.sh
 COPY config/35-remove_credentials_file.sh /entrypoint-scripts/35-remove_credentials_file.sh
 RUN chmod 755 /entrypoint.sh && \
    chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
    chmod 755 /entrypoint-scripts/01-wazuh.sh && \
    chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
    chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
    chmod 755 /entrypoint-scripts/20-ossec-configuration.sh && \
    chmod 755 /entrypoint-scripts/25-backups.sh && \
    chmod 755 /entrypoint-scripts/35-remove_credentials_file.sh
 # Workaround. 
 # Issues: Wazuh-api
 # https://github.com/wazuh/wazuh-api/issues/440  
 # https://github.com/wazuh/wazuh-api/issues/443
 COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
 RUN chmod 770 /var/ossec/api/controllers/agents.js
 # Load wazuh alerts template.
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
 RUN chmod go-w /etc/filebeat/wazuh-template.json 
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]
--- a/wazuh/config/00-decrypt_credentials.sh
+++ b/wazuh/config/00-decrypt_credentials.sh
@@ -0,0 +1,15 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Decrypt credentials.
 # If the credentials of the API user to be created are encrypted,
 # it must be decrypted for later use. 
 ##############################################################################
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
    echo "CREDENTIALS - Security credentials file not used. Nothing to do."
 else
    echo "CREDENTIALS - TO DO"
 fi
 # TO DO
--- a/wazuh-odfe/config/etc/cont-init.d/0-wazuh-init
+++ b/wazuh-odfe/config/etc/cont-init.d/0-wazuh-init
@@ -1,5 +1,5 @@
-#!/usr/bin/with-contenv bash
+#!/bin/bash
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # Variables
 source /permanent_data.env
@@ -7,6 +7,7 @@ source /permanent_data.env
 WAZUH_INSTALL_PATH=/var/ossec
 WAZUH_CONFIG_MOUNT=/wazuh-config-mount
 AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
 API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
 ##############################################################################
@@ -31,6 +32,14 @@ exec_cmd_stdout() {
 }
 ##############################################################################
 # Edit configuration
 ##############################################################################
 edit_configuration() { # $1 -> setting,  $2 -> value
  sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
 }
 ##############################################################################
 # This function will attempt to mount every directory in PERMANENT_DATA 
 # into the respective path. 
@@ -74,23 +83,6 @@ apply_exclusion_data() {
  done
 }
 ##############################################################################
 # This function will rename in the permanent data volume every file
 # contained in PERMANENT_DATA_MOVE
 ##############################################################################
 move_data_files() {
  for mov_file in "${PERMANENT_DATA_MOVE[@]}"; do
    file_split=( $mov_file )
    if [ -e ${file_split[0]} ]
    then
      print "moving ${mov_file}"
      exec_cmd "mv -f ${mov_file}"
    fi
  done
 }
 ##############################################################################
 # This function will delete from the permanent data volume every file 
 # contained in PERMANENT_DATA_DEL
@@ -101,7 +93,7 @@ remove_data_files() {
    if [ -e ${del_file} ]
    then 
      print "Removing ${del_file}"
-      exec_cmd "rm -f ${del_file}"
+      exec_cmd "rm ${del_file}"
    fi
  done
 }
@@ -111,11 +103,27 @@ remove_data_files() {
 ##############################################################################
 create_ossec_key_cert() {
-  print "Creating wazuh-authd key and cert"
+  print "Creating ossec-authd key and cert"
  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
 }
 ##############################################################################
 # Create certificates: API
 ##############################################################################
 create_api_key_cert() {
  print "Enabling Wazuh API HTTPS"
  edit_configuration "https" "yes"
  print "Create Wazuh API key and cert"
  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096"
  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
  # Granting proper permissions 
  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key
  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt
 }
 ##############################################################################
 # Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
 # destination files permissions
@@ -135,35 +143,60 @@ mount_files() {
  fi
 }
 ##############################################################################
-# Allow users to set the container hostname as <node_name> dynamically on
+# Stop OSSEC
 # container start.
 #
 # To use this:
 # 1. Create your own ossec.conf file
 # 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
 # 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
 ##############################################################################
-set_custom_hostname() {
+function ossec_shutdown(){
-  sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
 }
 ##############################################################################
-# Allow users to set the container cluster key dynamically on
+# Interpret any passed arguments (via docker command to this entrypoint) as
-# container start.
+# paths or commands, and execute them. 
 #
-# To use this:
+# This can be useful for actions that need to be run before the services are
-# 1. Create your own ossec.conf file
+# started, such as "/var/ossec/bin/ossec-control enable agentless".
 # 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key
 # 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
 ##############################################################################
-set_custom_cluster_key() {
+docker_custom_args() {
-  sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  for CUSTOM_COMMAND in "$@"
  do
    echo "Executing command \`${CUSTOM_COMMAND}\`"
    exec_cmd_stdout "${CUSTOM_COMMAND}"
  done
 }
 ##############################################################################
 # Change Wazuh API user credentials.
 ##############################################################################
 change_api_user_credentials() {
  pushd /var/ossec/api/configuration/auth/
  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
    WAZUH_API_USER=${API_USER}
    WAZUH_API_PASS=${API_PASS}
  else
    input=${SECURITY_CREDENTIALS_FILE}
    while IFS= read -r line
    do
      if [[ $line == *"WAZUH_API_USER"* ]]; then
        arrIN=(${line//:/ })
        WAZUH_API_USER=${arrIN[1]}
      elif [[ $line == *"WAZUH_API_PASS"* ]]; then
        arrIN=(${line//:/ })
        WAZUH_API_PASS=${arrIN[1]}
      fi
    done < "$input"
  fi
  echo "Change Wazuh API user credentials"
  change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
  eval $change_user
  popd
 }
 ##############################################################################
 # Main function
 ##############################################################################
@@ -175,13 +208,10 @@ main() {
  # Restore files stored in permanent data that are not permanent  (i.e. internal_options.conf)
  apply_exclusion_data
  # Rename files stored in permanent data (i.e. queue/ossec)
  move_data_files
  # Remove some files in permanent_data (i.e. .template.db)
  remove_data_files
-  # Generate wazuh-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
+  # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
  if [ $AUTO_ENROLLMENT_ENABLED == true ]
  then
    if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]
@@ -190,14 +220,26 @@ main() {
    fi
  fi
  # Generate API certs if API_GENERATE_CERTS is true and does not exist
  if [ $API_GENERATE_CERTS == true ]
  then
    if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ]
    then
      create_api_key_cert
    fi
  fi
  # Mount selected files (WAZUH_CONFIG_MOUNT) to container
  mount_files
-  # Allow setting custom hostname
+  # Trap exit signals and do a proper shutdown
-  set_custom_hostname
+  trap "ossec_shutdown; exit" SIGINT SIGTERM
-  # Allow setting custom cluster key
+  # Execute custom args
-  set_custom_cluster_key
+  docker_custom_args
  # Change API user credentials
  change_api_user_credentials
  # Delete temporary data folder
  rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
--- a/wazuh/config/02-set_filebeat_destination.sh
+++ b/wazuh/config/02-set_filebeat_destination.sh
@@ -0,0 +1,30 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Set Filebeat destination.  
 ##############################################################################
 if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
    echo "FILEBEAT - Set destination to Elasticsearch"
    cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml
    if [[ $FILEBEAT_OUTPUT != "" ]]; then
        sed -i "s/elasticsearch:9200/$FILEBEAT_OUTPUT:9200/" /etc/filebeat/filebeat.yml
    fi
 elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then
    echo "FILEBEAT - Set destination to Logstash"
    cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml
    if [[ $FILEBEAT_OUTPUT != "" ]]; then
        sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
    fi
 else
    echo "FILEBEAT - Error choosing destination. Set default filebeat.yml "
 fi
 echo "FILEBEAT - Set permissions"
 chmod go-w /etc/filebeat/filebeat.yml
--- a/wazuh/config/03-config_filebeat.sh
+++ b/wazuh/config/03-config_filebeat.sh
@@ -0,0 +1,23 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 set -e
 if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
    WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
    # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
    if [ "$ELASTICSEARCH_URL" != "" ]; then
    >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP."
    sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
    fi
    # Install Wazuh Filebeat Module
    >&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
    curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
    mkdir -p /usr/share/filebeat/module/wazuh
    chmod 755 -R /usr/share/filebeat/module/wazuh
 fi
--- a/wazuh/config/20-ossec-configuration.sh
+++ b/wazuh/config/20-ossec-configuration.sh
@@ -0,0 +1,13 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Change Wazuh manager configuration. 
 ##############################################################################
 # # Example: 
 # # Change remote protocol from udp to tcp
 # PROTOCOL="tcp"
 # sed -i -e '/<remote>/,/<\/remote>/ s|<protocol>udp</protocol>|<protocol>'$PROTOCOL'</protocol>|g' /var/ossec/etc/ossec.conf
 # # It is necessary to restart the service in order to apply the new configuration. 
 # service wazuh-manager restart
--- a/wazuh/config/25-backups.sh
+++ b/wazuh/config/25-backups.sh
@@ -0,0 +1,10 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Enable Wazuh backups and store them in a repository. 
 ##############################################################################
 # TO DO
 echo "BACKUPS - TO DO"
--- a/wazuh/config/35-remove_credentials_file.sh
+++ b/wazuh/config/35-remove_credentials_file.sh
@@ -0,0 +1,14 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 ##############################################################################
 # Decrypt credentials.
 # Remove the credentials file for security reasons.
 ##############################################################################
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  echo "CREDENTIALS - Security credentials file not used. Nothing to do."
 else
  echo "CREDENTIALS - Remove credentiasl file."
  shred -zvu ${SECURITY_CREDENTIALS_FILE}
 fi
--- a/wazuh/config/agents.js
+++ b/wazuh/config/agents.js
--- a/wazuh/config/entrypoint.sh
+++ b/wazuh/config/entrypoint.sh
@@ -0,0 +1,15 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # Trap to kill container if it is necessary.
 trap "exit" SIGINT SIGTERM
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
  bash "$script"
 done
 ##############################################################################
 # Start Wazuh Server.
 ##############################################################################
 /sbin/my_init 
--- a/wazuh/config/filebeat.runit.service
+++ b/wazuh/config/filebeat.runit.service
@@ -0,0 +1,4 @@
 #!/bin/sh
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service filebeat start
 tail -f /var/log/filebeat/filebeat
--- a/wazuh/config/filebeat_to_elasticsearch.yml
+++ b/wazuh/config/filebeat_to_elasticsearch.yml
@@ -0,0 +1,55 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # Wazuh - Filebeat configuration file
 filebeat.inputs:
  - type: log
    paths:
      - '/var/ossec/logs/alerts/alerts.json'
 setup.template.json.enabled: true
 setup.template.json.path: "/etc/filebeat/wazuh-template.json"
 setup.template.json.name: "wazuh"
 setup.template.overwrite: true
 processors:
  - decode_json_fields:
      fields: ['message']
      process_array: true
      max_depth: 200
      target: ''
      overwrite_keys: true
  - drop_fields:
      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
  - rename:
      fields:
        - from: "data.aws.sourceIPAddress"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
  - rename:
      fields:
        - from: "data.srcip"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
  - rename:
      fields:
        - from: "data.win.eventdata.ipAddress"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
 output.elasticsearch:
  hosts: ['http://elasticsearch:9200']
  #pipeline: geoip
  indices:
    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
--- a/wazuh/config/filebeat_to_logstash.yml
+++ b/wazuh/config/filebeat_to_logstash.yml
@@ -0,0 +1,15 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # Wazuh - Filebeat configuration file
 filebeat:
 inputs:
  - type: log
    paths:
     - "/var/ossec/logs/alerts/alerts.json"
 output:
 logstash:
   # The Logstash hosts
         hosts: ["logstash:5000"]
 #   ssl:
 #     certificate_authorities: ["/etc/filebeat/logstash.crt"]
--- a/wazuh-odfe/config/permanent_data.env
+++ b/wazuh-odfe/config/permanent_data.env
@@ -4,13 +4,12 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
 PERMANENT_DATA[((i++))]="/var/ossec/etc"
 PERMANENT_DATA[((i++))]="/var/ossec/logs"
 PERMANENT_DATA[((i++))]="/var/ossec/queue"
 PERMANENT_DATA[((i++))]="/var/ossec/queue/logcollector"
 PERMANENT_DATA[((i++))]="/var/ossec/agentless"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
 PERMANENT_DATA[((i++))]="/var/ossec/integrations"
 PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
 PERMANENT_DATA[((i++))]="/var/ossec/wodles"
 PERMANENT_DATA[((i++))]="/etc/filebeat"
 PERMANENT_DATA[((i++))]="/etc/postfix"
 export PERMANENT_DATA
 # Files mounted in a volume that should not be permanent
@@ -21,52 +20,42 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/wazuh-slack"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-8-oval.xml"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-9-oval.xml"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-ubuntu-xenial-oval.xml"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-debian-8-ds.xml"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1404-ds.xml"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1604-ds.xml"
 export PERMANENT_DATA_EXCP
 # Files mounted in a volume that should be deleted 
 i=0
 PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
 export PERMANENT_DATA_DEL
 i=0
 PERMANENT_DATA_MOVE[((i++))]="/var/ossec/logs/ossec /var/ossec/logs/wazuh"
 PERMANENT_DATA_MOVE[((i++))]="/var/ossec/queue/ossec /var/ossec/queue/sockets"
 export PERMANENT_DATA_MOVE
--- a/wazuh-odfe/config/permanent_data.sh
+++ b/wazuh-odfe/config/permanent_data.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # Variables
 source /permanent_data.env
--- a/wazuh/config/postfix.runit.service
+++ b/wazuh/config/postfix.runit.service
@@ -0,0 +1,4 @@
 #!/bin/sh
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service postfix start
 tail -f /var/log/mail.log
--- a/wazuh/config/wazuh-api.runit.service
+++ b/wazuh/config/wazuh-api.runit.service
@@ -0,0 +1,5 @@
 #!/bin/sh
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service wazuh-api start
 tail -f /var/ossec/logs/api.log
--- a/wazuh/config/wazuh-api_3.11.5-1_amd64.deb
+++ b/wazuh/config/wazuh-api_3.11.5-1_amd64.deb
--- a/wazuh/config/wazuh-manager_3.11.5-1_amd64.deb.REMOVED.git-id
+++ b/wazuh/config/wazuh-manager_3.11.5-1_amd64.deb.REMOVED.git-id
@@ -0,0 +1 @@
 b4bbb79aca532ca4f5321a89f9dffae1f934bc6f
--- a/wazuh/config/wazuh.runit.service
+++ b/wazuh/config/wazuh.runit.service
@@ -0,0 +1,5 @@
 #!/bin/sh
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service wazuh-manager start
 tail -f /var/ossec/logs/ossec.log
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Robin	70be87cec8	Upgrade Wazuh to 3.11.5 (#334 ) Former-commit-id: `18640426af`	2020-04-20 17:53:24 +02:00
AlfonsoRBJ	d8a90dc6b7	delay the wazuh remove credentials (#319 ) Former-commit-id: `cc0e0d13aa`	2020-03-26 15:58:33 +01:00
AlfonsoRBJ	99d54f1776	Adapt to 3.11.4_7.4.2 (#314 ) Former-commit-id: `7fe1c6bd1b`	2020-03-25 18:45:58 +01:00
AlfonsoRBJ	33e451f755	delaying the backup configuration (#317 ) Former-commit-id: `b2ee66374e`	2020-03-24 12:14:19 +01:00
Mayte Ariza	d05ec226d8	Create .wazuh index before setting the API credentials (#312 ) Former-commit-id: `7f8b0b855a`	2020-03-10 13:37:33 +01:00
AlfonsoRBJ	3f206679da	Add trap for sbin my init (#310 ) Former-commit-id: `7e7f97c4cd`	2020-03-04 12:24:18 +01:00
AlfonsoRBJ	2f0bb8e43c	Hide index management button Former-commit-id: `9d61e963c7`	2020-01-10 16:23:43 +01:00
AlfonsoRBJ	c91681853e	Custom logos for Kibana (#291 ) Former-commit-id: `e5169cc22d`	2020-01-10 13:47:13 +01:00
AlfonsoRBJ	936b47ae57	Replace Wazuh App to allow read users access Former-commit-id: `bc6f752e10`	2019-12-26 09:40:07 +01:00
AlfonsoRBJ	3431411eaf	add workaround for vulnerability detector data published field (#282 ) Former-commit-id: `e3883725b9`	2019-12-12 11:52:53 +01:00
AlfonsoRBJ	503200ea70	Remove kibana custom configuration (#279 ) Former-commit-id: `fcca484a9e`	2019-12-05 11:52:03 +01:00
AlfonsoRBJ	a5013d2cf8	Remove Logstash pipeline customization (#280 ) Former-commit-id: `2b7171101b`	2019-12-05 11:48:15 +01:00
AlfonsoRBJ	bc693841fd	Fixed the option to change Filebeat output (#268 ) Former-commit-id: `910caf6bd3`	2019-11-05 16:20:36 +01:00
Jesús Linares	202e1669c5	App 3.10.2 - 7.3.2 with security fix (#264 ) Former-commit-id: `a8e0804e04`	2019-10-15 17:19:09 +02:00
Jesús Linares	9cdcf05d49	Merge pull request #263 from wazuh/elastic-7-cloud Former-commit-id: `4d6f09cec8`	2019-10-10 16:24:50 +02:00
AlfonsoRBJ	d15ea1ff51	Elasticserach 7 - Template mangement (#262 ) Former-commit-id: `2113b5b3d5`	2019-10-10 15:53:24 +02:00
AlfonsoRBJ	ddd37f0f9a	Fixes for cloud Elastic 7 (#260 ) Former-commit-id: `ca1578ed27`	2019-10-03 17:38:43 +02:00
AlfonsoRBJ	fdb55e8ce1	Elastic 7-x Docker refactor (#257 ) Former-commit-id: `d3220826fc`	2019-10-01 13:10:01 +02:00
AlfonsoRBJ	086ba71c69	Elastic 7-x cloud adaption (#255 ) Former-commit-id: `6d9595327d`	2019-10-01 11:28:04 +02:00
Mayte Ariza	303e0f6557	Add wodles to permanent_data (#239 ) Former-commit-id: `7a8b332c93`	2019-09-06 15:29:25 +02:00
Mayte Ariza	1d35f292db	Fix copy except files (#238 ) Former-commit-id: `bd2fa5c40d`	2019-09-06 10:42:39 +02:00
Mayte Ariza	4c3f149428	Change v6.8.1 version to v6.8.2 (#237 ) Former-commit-id: `c427c971a4`	2019-09-05 17:18:55 +02:00
Jesus Linares	7cb82937dc	Update version: 3.9.4 - 6.8.1 Former-commit-id: `0644dd36e0`	2019-09-05 10:56:51 +02:00
Jesús Linares	f494f6eca2	Merge pull request #236 from wazuh/cloud-0.6-debug Cloud 0.6 - fixes Former-commit-id: `93eb42bb96`	2019-09-05 10:52:07 +02:00
AlfonsoRBJ	84a06e2fbc	Wazuh 3.9.4 Elastic 6.8.1_3.9.3 Former-commit-id: `e88be1d4bb`	2019-09-05 10:29:55 +02:00
AlfonsoRBJ	c346863593	Merge branch 'issue-234-cloud0.6-wodles' into cloud-0.6-debug Former-commit-id: `62499ce622`	2019-09-05 10:22:32 +02:00
Mayte Ariza	dccb8aca54	Set filebeat to 6.8.1 Former-commit-id: `e22eba52b9`	2019-09-05 10:20:16 +02:00
Mayte Ariza	18971e3fde	Remove 6.8.2 version Former-commit-id: `abbe2f20e4`	2019-09-05 10:16:07 +02:00
Josemi Hernandez	7faed76e44	Added TLS version filter (#227 ) Former-commit-id: `af007c69d4`	2019-09-05 09:46:55 +02:00
Mayte Ariza	f3e3abfaf0	Add agents.js Former-commit-id: `2c5a1f7c58`	2019-09-04 13:11:49 +02:00
Mayte Ariza	27c37d808a	Changed versions: wazuh 3.9.4 and kibana 6.8.2 Former-commit-id: `6b13810e6a`	2019-09-04 12:29:02 +02:00
AlfonsoRBJ	3a06c32e62	add minimun_master_nodes Former-commit-id: `816549c3b6`	2019-09-04 11:26:06 +02:00
AlfonsoRBJ	2918502fd1	save original elasticserach.yml Former-commit-id: `eed444bbbb`	2019-09-04 11:11:59 +02:00
Mayte Ariza	d1eb6e7b98	Removed chmod command in entrypoint Former-commit-id: `9460780adb`	2019-09-04 08:38:43 +02:00
Mayte Ariza	6656fddf70	Added new volume: wodles folder Former-commit-id: `36e3fa403d`	2019-09-04 08:32:56 +02:00
AlfonsoRBJ	131d25979b	improve workaround description Former-commit-id: `24da1f4d0f`	2019-09-03 16:31:55 +02:00
AlfonsoRBJ	abfe509753	workaround for wazuh-api issue 440 and 443 Former-commit-id: `d3cfd2234a`	2019-09-03 16:21:16 +02:00
AlfonsoRBJ	9d71a6cbcc	install wazuh without custom package Former-commit-id: `db733fc849`	2019-09-03 11:50:30 +02:00
AlfonsoRBJ	610f6f49ce	add debug to S3 repository creation in elasticsearch image Former-commit-id: `0c571ad3f9`	2019-09-03 11:15:35 +02:00
AlfonsoRBJ	71933d6625	Merge branch 'k8s' into cloud-0.5 Former-commit-id: `901c29c3ab`	2019-09-02 15:12:46 +02:00
Mayte Ariza	7afe64b238	Removed write permissions for group and other in Integrations folder (#226 ) * Removed go-w permissions in integrations folder * Modified permissions command	2019-08-27 13:31:04 +02:00
Daniel Ruiz	37f50dac1c	Fix docker volumes error Former-commit-id: `e8ecb63183`	2019-07-24 09:26:23 +02:00
Mayte Ariza	7c11a8568c	Fixing remove files (#210 )	2019-07-15 09:43:08 +02:00
Mayte Ariza	0bf9766883	Check if file exists before removing it (#209 )	2019-07-15 08:37:31 +02:00
AlfonsoRBJ	59f60f63b6	Upgrade to 3.9.3_6.8.1 version (#207 )	2019-07-12 16:35:26 +02:00
Mayte Ariza	c9ed007771	Permissions rw for group added (#206 )	2019-07-12 16:03:32 +02:00
Mayte Ariza	15dbd60605	New volumes declaration in Wazuh Dockerfile (#203 )	2019-07-09 13:59:36 +02:00
AlfonsoRBJ	eca30fb709	add CA correct management for Logstash (#202 )	2019-07-08 18:32:36 +02:00
AlfonsoRBJ	065b5bb5cf	Security for Elastic Stack (#196 )	2019-07-08 14:02:19 +02:00
Mayte Ariza	d98ab1b4f3	Wazuh image improvements (#188 )	2019-07-08 13:37:57 +02:00
AlfonsoRBJ	c077b496bd	resolve merge conflicts from branch 3.9.2_6.8.0	2019-06-17 16:02:12 +02:00
Manuel J. Bernal	815039333d	Updated CHANGELOG	2019-06-12 18:09:33 +02:00
Manuel J. Bernal	9b2ecdb47d	Bump version 3.8.2_6.8.0	2019-06-12 18:08:23 +02:00
AlfonsoRBJ	651077e2c7	Update CHANGELOG.md	2019-06-04 13:12:46 +02:00
AlfonsoRBJ	d8ac9e617b	Update CHANGELOG.md	2019-06-04 13:12:13 +02:00
AlfonsoRBJ	9db0001e08	conflicts resolved in merge 3.9.1_6.8.0 over k8s branch	2019-05-28 12:43:16 +02:00
Mayte Ariza	096246abcb	Removing log files (#169 )	2019-05-15 08:14:33 +02:00
AlfonsoRBJ	d2766454d0	Disable additionals X-Pack applications and hide unnecesary management links (#163 )	2019-05-08 15:50:42 +02:00
Mayte Ariza	a88e5495d5	Merge branch '3.9.0_6.7.1' into k8s	2019-05-06 11:56:05 +02:00
Mayte Ariza	3f94f734d4	Removing logs from Wazuh image (#153 )	2019-04-26 08:08:49 +02:00
`@@ -1,2 +1,2 @@`
	`WAZUH-DOCKER_VERSION="4.2.3"`	`WAZUH-DOCKER_VERSION="3.11.5_7.3.2"`
	`REVISION="40217"`	`REVISION="31150"`
		`@@ -1 +0,0 @@`
			<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 84.67 84.67"><defs><style>.a{fill:#fff;}.b{fill:#00a9e5;}</style></defs><title>wazuh_logo_circle</title><circle class="a" cx="42.34" cy="42.34" r="42.34"/><path class="b" d="M58.13,9.2,50,26.32H35.07L26.16,9.2,20,31l-8.53,9.72,19.18,17.6,7.47,17.21h8.53l7-16.91L73.24,40.83l-8.73-9.57ZM48.58,55.13a1.79,1.79,0,0,1-.74.62,2.49,2.49,0,0,1-1,.2,2.52,2.52,0,0,1-1-.2,1.84,1.84,0,0,1-.71-.62l-2.88-4.36-2.9,4.36a1.87,1.87,0,0,1-.72.62,2.48,2.48,0,0,1-.95.2,1.94,1.94,0,0,1-1.7-.82L21.3,41.37h4.09L37.87,52.3l2.49-3.89h3.93L47,52.3,59.63,40.9h3.74Z"/></svg>