commit 5b0b9e8729fc03dfcd0409652a693c0c3ab1bb11 Author: franv Date: Sat Sep 5 14:31:30 2020 -0700 first commit diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..3696be8 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,295 @@ +# Change Log +All notable changes to this project will be documented in this file. + +## Wazuh Docker v3.13.1_7.8.0 + +### Added + +- Update to Wazuh version 3.13.1_7.8.0 + +## Wazuh Docker v3.13.0_7.7.1 + +### Added + +- Update to Wazuh version 3.13.3_7.7.1 + +### Fixed + +- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350) +- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356) + +## Wazuh Docker v3.12.3_7.6.2 + +### Added + +- Update to Wazuh version 3.12.3_7.6.2 + + +## Wazuh Docker v3.12.2_7.6.2 + +### Added + +- Update to Wazuh version 3.12.2_7.6.2 + +## Wazuh Docker v3.12.1_7.6.2 + +### Added + +- Update to Wazuh version 3.12.1_7.6.2 + +### Fixed + +- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323) + + +## Wazuh Docker v3.12.0_7.6.1 + +### Added + +- Update to Wazuh version 3.12.0_7.6.1 + + +## Wazuh Docker v3.11.4_7.6.1 + +### Added + +- Update to Wazuh version 3.11.4_7.6.1 + +- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308) + +### Fixed + +- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303) + + +## Wazuh Docker v3.11.3_7.5.2 + +### Added + +- Update to Wazuh version 3.11.3_7.5.2 + +## Wazuh Docker v3.11.2_7.5.1 + +### Added + +- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a) + +### Fixed + +- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293) + +## Wazuh Docker v3.11.1_7.5.1 + +### Added + +- Update to Wazuh version 3.11.1_7.5.1 +- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271) +- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261) + +## Wazuh Docker v3.11.0_7.5.1 + +### Added + +- Update to Wazuh version 3.11.0_7.5.1 + +## Wazuh Docker v3.10.2_7.5.0 + +### Added + +- Update to Wazuh version 3.10.2_7.5.0 + +## Wazuh Docker v3.10.2_7.3.2 + +### Added + +- Update to Wazuh version 3.10.2_7.3.2 + +## Wazuh Docker v3.10.0_7.3.2 + +### Added + +- Update to Wazuh version 3.10.0_7.3.2 + +## Wazuh Docker v3.9.5_7.2.1 + +### Added + +- Update to Wazuh version 3.9.5_7.2.1 + +## Wazuh Docker v3.9.4_7.2.0 + +### Added + +- Update to Wazuh version 3.9.4_7.2.0 +- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2) + +## Wazuh Docker v3.9.3_7.2.0 + +### Fixed +- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213) + +## Wazuh Docker v3.9.2_7.1.1 + +### Added + +- Update to Wazuh version 3.9.2_7.1.1 + +## Wazuh Docker v3.9.2_6.8.0 + +### Added + +- Update to Wazuh version 3.9.2_6.8.0 + +## Wazuh Docker v3.9.1_7.1.0 + +### Added + +- Support for Elastic v7.1.0 +- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88) + +## Wazuh Docker v3.9.1_6.8.0 + +### Added + +- Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181)) + +### Fixed + +- Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181)) + +## Wazuh Docker v3.9.0_6.7.2 + +### Changed + +- Update Elastic Stack version to 6.7.2. + +## Wazuh Docker v3.9.0_6.7.1 + +### Added + +- Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119)) +- Add Elasticsearch cluster configuration ([@SitoRBJ](https://github.com/SitoRBJ)). ([#146](https://github.com/wazuh/wazuh-docker/pull/146)) +- Add Elasticsearch cluster configuration ([@Phandora](https://github.com/Phandora)) ([#140](https://github.com/wazuh/wazuh-docker/pull/140)) +- Setting Nginx to support several user/passwords in Kibana ([@toniMR](https://github.com/toniMR)) ([#136](https://github.com/wazuh/wazuh-docker/pull/136)) + + +### Changed + +- Use LS_JAVA_OPTS instead of old LS_HEAP_SIZE ([@ruffy91](https://github.com/ruffy91)) ([#139](https://github.com/wazuh/wazuh-docker/pull/139)) +- Changing the original Wazuh docker image to allow adding code in the entrypoint ([@Phandora](https://github.com/phandora)) ([#151](https://github.com/wazuh/wazuh-docker/pull/151)) + +### Removed + +- Removing files from Wazuh image ([@Phandora](https://github.com/phandora)) ([#153](https://github.com/wazuh/wazuh-docker/pull/153)) + +## Wazuh Docker v3.8.2_6.7.0 + +### Changed + +- Update Elastic Stack version to 6.7.0. ([#144](https://github.com/wazuh/wazuh-docker/pull/144)) + +## Wazuh Docker v3.8.2_6.6.2 + +### Changed + +- Update Elastic Stack version to 6.6.2. ([#130](https://github.com/wazuh/wazuh-docker/pull/130)) + +## Wazuh Docker v3.8.2_6.6.1 + +### Changed + +- Update Elastic Stack version to 6.6.1. ([#129](https://github.com/wazuh/wazuh-docker/pull/129)) + +## Wazuh Docker v3.8.2_6.5.4 + +### Added + +- Add Wazuh-Elasticsearch. ([#106](https://github.com/wazuh/wazuh-docker/pull/106)) +- Store Filebeat _/var/lib/filebeat/registry._ ([#109](https://github.com/wazuh/wazuh-docker/pull/109)) +- Adding the option to disable some xpack features. ([#111](https://github.com/wazuh/wazuh-docker/pull/111)) +- Wazuh-Kibana customizable at plugin level. ([#117](https://github.com/wazuh/wazuh-docker/pull/117)) +- Adding env variables for alerts data flow. ([#118](https://github.com/wazuh/wazuh-docker/pull/118)) +- New Logstash entrypoint added. ([#135](https://github.com/wazuh/wazuh-docker/pull/135/files)) +- Welcome screen management. ([#133](https://github.com/wazuh/wazuh-docker/pull/133)) + +### Changed + +- Update to Wazuh version 3.8.2. ([#105](https://github.com/wazuh/wazuh-docker/pull/105)) + +### Removed + +- Remove alerts created in build time. ([#137](https://github.com/wazuh/wazuh-docker/pull/137)) + + +## Wazuh Docker v3.8.1_6.5.4 + +### Changed +- Update to Wazuh version 3.8.1. ([#102](https://github.com/wazuh/wazuh-docker/pull/102)) + +## Wazuh Docker v3.8.0_6.5.4 + +### Changed + +- Upgrade version 3.8.0_6.5.4. ([#97](https://github.com/wazuh/wazuh-docker/pull/97)) + +### Removed + +- Remove cluster.py work around. ([#99](https://github.com/wazuh/wazuh-docker/pull/99)) + +## Wazuh Docker v3.7.2_6.5.4 + +### Added + +- Improvements to Kibana settings added. ([#91](https://github.com/wazuh/wazuh-docker/pull/91)) +- Add Kibana environmental variables for Wazuh APP config.yml. ([#89](https://github.com/wazuh/wazuh-docker/pull/89)) + +### Changed + +- Update Elastic Stack version to 6.5.4. ([#82](https://github.com/wazuh/wazuh-docker/pull/82)) +- Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86)) +- Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88)) + +### Fixed + +- Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84)) + +## Wazuh Docker v3.7.2_6.5.3 + +### Changed + +- Erasing temporary fix for AWS integration. ([#81](https://github.com/wazuh/wazuh-docker/pull/81)) + +### Fixed + +- Upgrading errors due to wrong files. ([#80](https://github.com/wazuh/wazuh-docker/pull/80)) + + +## Wazuh Docker v3.7.0_6.5.0 + +### Changed + +- Adapt to Elastic stack 6.5.0. + +## Wazuh Docker v3.7.0_6.4.3 + +### Added + +- Allow custom scripts or commands before service start ([#58](https://github.com/wazuh/wazuh-docker/pull/58)) +- Added description for wazuh-nginx ([#59](https://github.com/wazuh/wazuh-docker/pull/59)) +- Added license file to match https://github.com/wazuh/wazuh LICENSE ([#60](https://github.com/wazuh/wazuh-docker/pull/60)) +- Added SMTP packages ([#67](https://github.com/wazuh/wazuh-docker/pull/67)) + +### Changed + +- Increased proxy buffer for NGINX Kibana ([#51](https://github.com/wazuh/wazuh-docker/pull/51)) +- Updated logstash config to remove deprecation warnings ([#55](https://github.com/wazuh/wazuh-docker/pull/55)) +- Set ossec user's home path ([#61](https://github.com/wazuh/wazuh-docker/pull/61)) + +### Fixed + +- Fixed a bug that prevents the API from starting when the Wazuh manager was updated. Change in the files that are stored in the volume. ([#65](https://github.com/wazuh/wazuh-docker/pull/65)) +- Fixed script reference ([#62](https://github.com/wazuh/wazuh-docker/pull/62/files)) + +## Wazuh Docker v3.6.1_6.4.3 + +Wazuh-Docker starting point. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..40f5e6c --- /dev/null +++ b/LICENSE @@ -0,0 +1,475 @@ + + Portions Copyright (C) 2020 Wazuh, Inc. + Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc. + + This program is a free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License (version 2) as + published by the FSF - Free Software Foundation. + + In addition, certain source files in this program permit linking with the + OpenSSL library (http://www.openssl.org), which otherwise wouldn't be allowed + under the GPL. For purposes of identifying OpenSSL, most source files giving + this permission limit it to versions of OpenSSL having a license identical to + that listed in this file (see section "OpenSSL LICENSE" below). It is not + necessary for the copyright years to match between this file and the OpenSSL + version in question. However, note that because this file is an extension of + the license statements of these source files, this file may not be changed + except with permission from all copyright holders of source files in this + program which reference this file. + + Note that this license applies to the source code, as well as + decoders, rules and any other data file included with OSSEC (unless + otherwise specified). + + For the purpose of this license, we consider an application to constitute a + "derivative work" or a work based on this program if it does any of the + following (list not exclusive): + + * Integrates source code/data files from OSSEC. + * Includes OSSEC copyrighted material. + * Includes/integrates OSSEC into a proprietary executable installer. + * Links to a library or executes a program that does any of the above. + + This list is not exclusive, but just a clarification of our interpretation + of derived works. These restrictions only apply if you actually redistribute + OSSEC (or parts of it). + + We don't consider these to be added restrictions on top of the GPL, + but just a clarification of how we interpret "derived works" as it + applies to OSSEC. This is similar to the way Linus Torvalds has + announced his interpretation of how "derived works" applies to Linux kernel + modules. Our interpretation refers only to OSSEC - we don't speak + for any other GPL products. + + * As a special exception, the copyright holders give + * permission to link the code of portions of this program with the + * OpenSSL library under certain conditions as described in each + * individual source file, and distribute linked combinations + * including the two. + * You must obey the GNU General Public License in all respects + * for all of the code used other than OpenSSL. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you + * do not wish to do so, delete this exception statement from your + * version. If you delete this exception statement from all source + * files in the program, then also delete it here. + + OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + FITNESS FOR A PARTICULAR PURPOSE. + See the GNU General Public License Version 2 below for more details. + +----------------------------------------------------------------------------- + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + +------------------------------------------------------------------------------- + +OpenSSL License +--------------- + + LICENSE ISSUES + ============== + + The OpenSSL toolkit stays under a dual license, i.e. both the conditions of + the OpenSSL License and the original SSLeay license apply to the toolkit. + See below for the actual license texts. Actually both licenses are BSD-style + Open Source licenses. In case of any license issues related to OpenSSL + please contact openssl-core@openssl.org. + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the routines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ diff --git a/README.md b/README.md new file mode 100644 index 0000000..a53e9aa --- /dev/null +++ b/README.md @@ -0,0 +1,77 @@ +# Wazuh containers for Docker + +[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/) +[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh) +[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com) +[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com) + +In this repository you will find the containers to run: + +* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack) +* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. +* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme). +* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** + +In addition, a docker-compose file is provided to launch the containers mentioned above. + +* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml). + +## Documentation + +* [Wazuh full documentation](http://documentation.wazuh.com) +* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html) +* [Docker hub](https://hub.docker.com/u/wazuh) + +## Directory structure + + wazuh-docker + ├── docker-compose.yml + ├── kibana + │   ├── config + │   │   ├── entrypoint.sh + │   │   └── kibana.yml + │   └── Dockerfile + ├── LICENSE + ├── nginx + │   ├── config + │   │   └── entrypoint.sh + │   └── Dockerfile + ├── README.md + ├── CHANGELOG.md + ├── VERSION + ├── test.txt + └── wazuh + ├── config + │   ├── data_dirs.env + │   ├── entrypoint.sh + │   ├── filebeat.runit.service + │   ├── filebeat.yml + │   ├── init.bash + │   ├── postfix.runit.service + │   ├── wazuh-api.runit.service + │   └── wazuh.runit.service + └── Dockerfile + + +## Branches + +* `stable` branch on correspond to the latest Wazuh-Docker stable version. +* `master` branch contains the latest code, be aware of possible bugs on this branch. +* `Wazuh.Version_ElasticStack.Version` (for example 3.13.1_7.8.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. + +## Credits and Thank you + +These Docker containers are based on: + +* "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk) +* "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server) + +We thank you them and everyone else who has contributed to this project. + +## License and copyright + +Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +## Web references + +[Wazuh website](http://wazuh.com) diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..2366272 --- /dev/null +++ b/VERSION @@ -0,0 +1,2 @@ +WAZUH-DOCKER_VERSION="3.13.1_7.8.0" +REVISION="31310" diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..e5bd339 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,80 @@ +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) +version: '2' + +services: + wazuh: + image: wazuh/wazuh:3.13.1_7.8.0 + hostname: wazuh-manager + restart: always + ports: + - "1514:1514/udp" + - "1515:1515" + - "514:514/udp" + - "55000:55000" + volumes: + - wazuh-data:/var/ossec/data/ +# - ./ossec:/var/ossec/:Z +# - ./ossec/:/var/ossec/ +# - ./postfix:/etc/postfix + + + elasticsearch: + image: wazuh/wazuh-elasticsearch:3.13.1_7.8.0 + hostname: elasticsearch + restart: always + ports: + - "9200:9200" + environment: + - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - ELASTIC_CLUSTER=true + - CLUSTER_NODE_MASTER=true + - CLUSTER_MASTER_NODE_NAME=es01 + ulimits: + memlock: + soft: -1 + hard: -1 + mem_limit: 2g + + kibana: + image: wazuh/wazuh-kibana:3.13.1_7.8.0 + hostname: kibana + restart: always + environment: + - VIRTUAL_HOST=mon.franv.site + - LETSENCRYPT_HOST=mon.franv.site + - LETSENCRYPT_EMAIL=ouch@thetrauma.org + - VIRTUAL_PORT=5061 + + depends_on: + - elasticsearch + links: + - elasticsearch:elasticsearch + - wazuh:wazuh + +# nginx: +# image: wazuh/wazuh-nginx:3.13.1_7.8.0 +# hostname: nginx +# restart: always +# environment: +## - VIRTUAL_HOST=mon.franv.site +## - LETSENCRYPT_HOST=mon.franv.site +## - LETSENCRYPT_EMAIL=ouch@thetrauma.org +## - VIRTUAL_PORT=443 +## - VIRTUAL_PORT=80 +# +# - NGINX_PORT=444 +# - NGINX_CREDENTIALS +# ports: +# - "81:80" +# - "444:443" +# depends_on: +# - kibana +# links: +# - kibana:kibana + +volumes: + wazuh-data: +networks: + default: + external: + name: franvproxy_proxy-tier diff --git a/docker-compose.yml.orig b/docker-compose.yml.orig new file mode 100644 index 0000000..c2edca6 --- /dev/null +++ b/docker-compose.yml.orig @@ -0,0 +1,55 @@ +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) +version: '2' + +services: + wazuh: + image: wazuh/wazuh:3.13.1_7.8.0 + hostname: wazuh-manager + restart: always + ports: + - "1514:1514/udp" + - "1515:1515" + - "514:514/udp" + - "55000:55000" + + elasticsearch: + image: wazuh/wazuh-elasticsearch:3.13.1_7.8.0 + hostname: elasticsearch + restart: always + ports: + - "9200:9200" + environment: + - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - ELASTIC_CLUSTER=true + - CLUSTER_NODE_MASTER=true + - CLUSTER_MASTER_NODE_NAME=es01 + ulimits: + memlock: + soft: -1 + hard: -1 + mem_limit: 2g + + kibana: + image: wazuh/wazuh-kibana:3.13.1_7.8.0 + hostname: kibana + restart: always + depends_on: + - elasticsearch + links: + - elasticsearch:elasticsearch + - wazuh:wazuh + + nginx: + image: wazuh/wazuh-nginx:3.13.1_7.8.0 + hostname: nginx + restart: always + environment: + - NGINX_PORT=443 + - NGINX_CREDENTIALS + ports: + - "80:80" + - "443:443" + depends_on: + - kibana + links: + - kibana:kibana \ No newline at end of file diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile new file mode 100644 index 0000000..9189320 --- /dev/null +++ b/elasticsearch/Dockerfile @@ -0,0 +1,56 @@ +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +ARG ELASTIC_VERSION=7.8.0 +FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} +ARG ELASTIC_VERSION +ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip" + +ENV ELASTICSEARCH_URL="http://elasticsearch:9200" + +ENV ALERTS_SHARDS="1" \ + ALERTS_REPLICAS="0" + +ENV API_USER="foo" \ + API_PASS="bar" + +ENV XPACK_ML="true" + +ENV ENABLE_CONFIGURE_S3="false" + +ARG TEMPLATE_VERSION=v3.13.1 + +# Elasticearch cluster configuration environment variables +# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration +# CLUSTER_INITIAL_MASTER_NODES set to own node by default. +ENV ELASTIC_CLUSTER="false" \ + CLUSTER_NAME="wazuh" \ + CLUSTER_NETWORK_HOST="0.0.0.0" \ + CLUSTER_NODE_MASTER="false" \ + CLUSTER_NODE_DATA="true" \ + CLUSTER_NODE_INGEST="true" \ + CLUSTER_NODE_NAME="wazuh-elasticsearch" \ + CLUSTER_MASTER_NODE_NAME="master-node" \ + CLUSTER_MEMORY_LOCK="true" \ + CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \ + CLUSTER_NUMBER_OF_MASTERS="2" \ + CLUSTER_MAX_NODES="1" \ + CLUSTER_DELAYED_TIMEOUT="1m" \ + CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" + +COPY config/entrypoint.sh /entrypoint.sh + +RUN chmod 755 /entrypoint.sh + +COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./ + +RUN chmod +x ./load_settings.sh + +RUN bin/elasticsearch-plugin install --batch $S3_PLUGIN_URL + +COPY config/configure_s3.sh ./config/configure_s3.sh +RUN chmod 755 ./config/configure_s3.sh + +COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./ +RUN chmod +x ./config_cluster.sh + +ENTRYPOINT ["/entrypoint.sh"] +CMD ["elasticsearch"] diff --git a/elasticsearch/config/config_cluster.sh b/elasticsearch/config/config_cluster.sh new file mode 100644 index 0000000..04e7026 --- /dev/null +++ b/elasticsearch/config/config_cluster.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" + +remove_single_node_conf(){ + if grep -Fq "discovery.type" $1; then + sed -i '/discovery.type\: /d' $1 + fi +} + +remove_cluster_config(){ + sed -i '/# cluster node/,/# end cluster config/d' $1 +} + +# If Elasticsearch cluster is enable, then set up the elasticsearch.yml +if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then + # Remove the old configuration + remove_single_node_conf $elastic_config_file + remove_cluster_config $elastic_config_file + +if [[ $CLUSTER_NODE_MASTER == "true" ]]; then +# Add the master configuration +# cluster.initial_master_nodes for bootstrap the cluster +cat > $elastic_config_file << EOF +# cluster node +network.host: $CLUSTER_NETWORK_HOST +node.name: $CLUSTER_MASTER_NODE_NAME +node.master: $CLUSTER_NODE_MASTER +cluster.initial_master_nodes: + - $CLUSTER_MASTER_NODE_NAME +# end cluster config" +EOF + +elif [[ $CLUSTER_NODE_NAME != "" ]];then +# Remove the old configuration +remove_single_node_conf $elastic_config_file +remove_cluster_config $elastic_config_file + +cat > $elastic_config_file << EOF +# cluster node +network.host: $CLUSTER_NETWORK_HOST +node.name: $CLUSTER_NODE_NAME +node.master: false +discovery.seed_hosts: + - $CLUSTER_MASTER_NODE_NAME + - $CLUSTER_NODE_NAME +# end cluster config" +EOF +fi +# If the cluster is disabled, then set a single-node configuration +else + # Remove the old configuration + remove_single_node_conf $elastic_config_file + remove_cluster_config $elastic_config_file + echo "discovery.type: single-node" >> $elastic_config_file +fi \ No newline at end of file diff --git a/elasticsearch/config/configure_s3.sh b/elasticsearch/config/configure_s3.sh new file mode 100644 index 0000000..ffb9cdb --- /dev/null +++ b/elasticsearch/config/configure_s3.sh @@ -0,0 +1,77 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +set -e + +# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error. +# param 1: number of arguments passed to configure_s3.sh + +function CheckArgs() +{ + if [ $1 != 4 ] && [ $1 != 5 ];then + echo "Use: configure_s3.sh (By default is added to the path and the repository name)" + echo "or use: configure_s3.sh " + exit 1 + + fi +} + +# Create S3 repository from base_path / (if there is no argument, current version is added) +# Repository name would be - (if there is no argument, current version is added) +# param 1: +# param 2: +# param 3: +# param 4: +# param 5: Optional +# output: It will show "acknowledged" if the repository has been successfully created + +function CreateRepo() +{ + + elastic_ip_port="$2" + bucket_name="$3" + path="$4" + repository_name="$5" + + if [ $1 == 5 ];then + version="$6" + else + version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1` + fi + + if ! [[ "$version" =~ ^[0-9]+$ ]];then + echo "Elasticsearch major version must be an integer" + exit 1 + fi + + repository="$repository_name-$version" + s3_path="$path/$version" + + curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' + { + "type": "s3", + "settings": { + "bucket": "'$bucket_name'", + "base_path": "'$s3_path'" + } + } + ' + +} + +# Run functions CheckArgs and CreateRepo +# param 1: number of arguments passed to configure_s3.sh +# param 2: +# param 3: +# param 4: +# param 5: +# param 6: Optional + +function Main() +{ + CheckArgs $1 + + CreateRepo $1 $2 $3 $4 $5 $6 +} + +Main $# $1 $2 $3 $4 $5 \ No newline at end of file diff --git a/elasticsearch/config/entrypoint.sh b/elasticsearch/config/entrypoint.sh new file mode 100644 index 0000000..de74375 --- /dev/null +++ b/elasticsearch/config/entrypoint.sh @@ -0,0 +1,52 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh + +set -e + +# Files created by Elasticsearch should always be group writable too +umask 0002 + +run_as_other_user_if_needed() { + if [[ "$(id -u)" == "0" ]]; then + # If running as root, drop to specified UID and run command + exec chroot --userspec=1000 / "${@}" + else + # Either we are running in Openshift with random uid and are a member of the root group + # or with a custom --user + exec "${@}" + fi +} + + +#Disabling xpack features + +elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" +if grep -Fq "#xpack features" "$elasticsearch_config_file"; +then + declare -A CONFIG_MAP=( + [xpack.ml.enabled]=$XPACK_ML + ) + for i in "${!CONFIG_MAP[@]}" + do + if [ "${CONFIG_MAP[$i]}" != "" ]; then + sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file + fi + done +else + echo " +#xpack features +xpack.ml.enabled: $XPACK_ML + " >> $elasticsearch_config_file +fi + +# Run load settings script. + +./config_cluster.sh + +./load_settings.sh & + +# Execute elasticsearch + +run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch diff --git a/elasticsearch/config/load_settings.sh b/elasticsearch/config/load_settings.sh new file mode 100644 index 0000000..5aeedb9 --- /dev/null +++ b/elasticsearch/config/load_settings.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +set -e + +el_url=${ELASTICSEARCH_URL} + + +if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + auth="" +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" +fi + +until curl ${auth} -XGET $el_url; do + >&2 echo "Elastic is unavailable - sleeping" + sleep 5 +done + +>&2 echo "Elastic is up - executing command" + +if [ $ENABLE_CONFIGURE_S3 ]; then + #Wait for Elasticsearch to be ready to create the repository + sleep 10 + IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" + + if [ "x$S3_PATH" != "x" ]; then + + if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then + ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR + + else + ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME + + fi + + fi + +fi + +if [ ${ENABLED_XPACK} = "true" ]; then +curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d' +{ + "persistent": { + "xpack.monitoring.collection.enabled": true + } +} +' +fi + +# Set cluster delayed timeout when node falls +curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d' +{ + "settings": { + "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'" + } +} +' + + +echo "Elasticsearch is ready." diff --git a/kibana/Dockerfile b/kibana/Dockerfile new file mode 100644 index 0000000..12fffd7 --- /dev/null +++ b/kibana/Dockerfile @@ -0,0 +1,75 @@ +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +FROM docker.elastic.co/kibana/kibana:7.8.0 +USER kibana +ARG ELASTIC_VERSION=7.8.0 +ARG WAZUH_VERSION=3.13.1 +ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" + +WORKDIR /usr/share/kibana +RUN ./bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip + +WORKDIR / +USER root +COPY config/entrypoint.sh ./entrypoint.sh +RUN chmod 755 ./entrypoint.sh + +ENV PATTERN="" \ + CHECKS_PATTERN="" \ + CHECKS_TEMPLATE="" \ + CHECKS_API="" \ + CHECKS_SETUP="" \ + EXTENSIONS_PCI="" \ + EXTENSIONS_GDPR="" \ + EXTENSIONS_AUDIT="" \ + EXTENSIONS_OSCAP="" \ + EXTENSIONS_CISCAT="" \ + EXTENSIONS_AWS="" \ + EXTENSIONS_VIRUSTOTAL="" \ + EXTENSIONS_OSQUERY="" \ + APP_TIMEOUT="" \ + WAZUH_SHARDS="" \ + WAZUH_REPLICAS="" \ + WAZUH_VERSION_SHARDS="" \ + WAZUH_VERSION_REPLICAS="" \ + IP_SELECTOR="" \ + IP_IGNORE="" \ + XPACK_RBAC_ENABLED="" \ + WAZUH_MONITORING_ENABLED="" \ + WAZUH_MONITORING_FREQUENCY="" \ + WAZUH_MONITORING_SHARDS="" \ + WAZUH_MONITORING_REPLICAS="" \ + ADMIN_PRIVILEGES="" + +ARG XPACK_CANVAS="true" +ARG XPACK_LOGS="true" +ARG XPACK_INFRA="true" +ARG XPACK_ML="true" +ARG XPACK_DEVTOOLS="true" +ARG XPACK_MONITORING="true" +ARG XPACK_APM="true" + +ARG CHANGE_WELCOME="false" + +COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ + +RUN chmod +x ./wazuh_app_config.sh + +COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ + +RUN chmod +x ./kibana_settings.sh + +COPY --chown=kibana:kibana ./config/xpack_config.sh ./ + +RUN chmod +x ./xpack_config.sh + +RUN ./xpack_config.sh + +COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./ + +RUN chmod +x ./welcome_wazuh.sh + +RUN ./welcome_wazuh.sh +USER kibana +RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize + +ENTRYPOINT ./entrypoint.sh diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh new file mode 100644 index 0000000..1c445e1 --- /dev/null +++ b/kibana/config/entrypoint.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +set -e + +############################################################################## +# Waiting for elasticsearch +############################################################################## + +if [ "x${ELASTICSEARCH_URL}" = "x" ]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_URL}" +fi + +if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + auth="" +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" +fi + +until curl -XGET $el_url ${auth}; do + >&2 echo "Elastic is unavailable - sleeping" + sleep 5 +done + +sleep 2 + +>&2 echo "Elasticsearch is up." + + +############################################################################## +# Waiting for wazuh alerts template +############################################################################## + +strlen=0 + +while [[ $strlen -eq 0 ]] +do + template=$(curl $el_url/_cat/templates/wazuh -s) + strlen=${#template} + >&2 echo "Wazuh alerts template not loaded - sleeping." + sleep 2 +done + +sleep 2 + +>&2 echo "Wazuh alerts template is loaded." + + +./wazuh_app_config.sh + +sleep 5 + +./kibana_settings.sh & + +/usr/local/bin/kibana-docker diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh new file mode 100644 index 0000000..cd00fa6 --- /dev/null +++ b/kibana/config/kibana_settings.sh @@ -0,0 +1,84 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +WAZUH_MAJOR=3 + +############################################################################## +# Wait for the Kibana API to start. It is necessary to do it in this container +# because the others are running Elastic Stack and we can not interrupt them. +# +# The following actions are performed: +# +# Add the wazuh alerts index as default. +# Set the Discover time interval to 24 hours instead of 15 minutes. +# Do not ask user to help providing usage statistics to Elastic. +############################################################################## + +############################################################################## +# Customize elasticsearch ip +############################################################################## +if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then + sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml + sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml +fi + +# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate. +if [ "$KIBANA_INDEX" != "" ]; then + if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then + sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml + fi + echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml +fi + +# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false. +if [ "$XPACK_SECURITY_ENABLED" != "" ]; then + if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then + sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml + fi + echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml +fi + +if [ "$KIBANA_IP" != "" ]; then + kibana_ip="$KIBANA_IP" +else + kibana_ip="kibana" +fi + +# Add auth headers if required +if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then + curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" +fi + +while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do + echo "Waiting for Kibana API. Sleeping 5 seconds" + sleep 5 +done + +# Prepare index selection. +echo "Kibana API is running" + +default_index="/tmp/default_index.json" + +cat > ${default_index} << EOF +{ + "changes": { + "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*" + } +} +EOF + +sleep 5 +# Add the wazuh alerts index as default. +curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +rm -f ${default_index} + +sleep 5 +# Configuring Kibana TimePicker. +curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' + +sleep 5 +# Do not ask user to help providing usage statistics to Elastic +curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' + +echo "End settings" diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh new file mode 100644 index 0000000..cae2dce --- /dev/null +++ b/kibana/config/wazuh_app_config.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +wazuh_url="${WAZUH_API_URL:-https://wazuh}" +wazuh_port="${API_PORT:-55000}" +api_user="${API_USER:-foo}" +api_password="${API_PASS:-bar}" + +kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" +mkdir -p /usr/share/kibana/optimize/wazuh/config/ +touch $kibana_config_file + +declare -A CONFIG_MAP=( + [pattern]=$PATTERN + [checks.pattern]=$CHECKS_PATTERN + [checks.template]=$CHECKS_TEMPLATE + [checks.api]=$CHECKS_API + [checks.setup]=$CHECKS_SETUP + [extensions.pci]=$EXTENSIONS_PCI + [extensions.gdpr]=$EXTENSIONS_GDPR + [extensions.audit]=$EXTENSIONS_AUDIT + [extensions.oscap]=$EXTENSIONS_OSCAP + [extensions.ciscat]=$EXTENSIONS_CISCAT + [extensions.aws]=$EXTENSIONS_AWS + [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL + [extensions.osquery]=$EXTENSIONS_OSQUERY + [timeout]=$APP_TIMEOUT + [wazuh.shards]=$WAZUH_SHARDS + [wazuh.replicas]=$WAZUH_REPLICAS + [wazuh-version.shards]=$WAZUH_VERSION_SHARDS + [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS + [ip.selector]=$IP_SELECTOR + [ip.ignore]=$IP_IGNORE + [xpack.rbac.enabled]=$XPACK_RBAC_ENABLED + [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED + [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY + [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS + [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS + [admin]=$ADMIN_PRIVILEGES +) + +for i in "${!CONFIG_MAP[@]}" +do + if [ "${CONFIG_MAP[$i]}" != "" ]; then + sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file + fi +done + +# remove default API entry (new in 3.11.0_7.5.1) +sed -ie '/- default:/,+4d' $kibana_config_file + +CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) + +grep -q 1513629884013 $kibana_config_file +_config_exists=$? + +if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then +cat << EOF > $kibana_config_file +hosts: + - 1513629884013: + url: $wazuh_url + port: $wazuh_port + user: $api_user + password: $api_password +EOF +else + echo "Wazuh APP already configured" +fi diff --git a/kibana/config/welcome_wazuh.sh b/kibana/config/welcome_wazuh.sh new file mode 100644 index 0000000..3683c23 --- /dev/null +++ b/kibana/config/welcome_wazuh.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +if [[ $CHANGE_WELCOME == "true" ]] +then + + rm -rf ./optimize/bundles + + kibana_path="/usr/share/kibana" + # Set Wazuh app as the default landing page + echo "Set Wazuh app as the default landing page" + echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml + + # Redirect Kibana welcome screen to Discover + echo "Redirect Kibana welcome screen to Discover" + sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html + sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js + + # Redirect Kibana welcome screen to Discover + echo "Hide undesired links" + sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js +fi diff --git a/kibana/config/xpack_config.sh b/kibana/config/xpack_config.sh new file mode 100644 index 0000000..89ffadf --- /dev/null +++ b/kibana/config/xpack_config.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +kibana_config_file="/usr/share/kibana/config/kibana.yml" +if grep -Fq "#xpack features" "$kibana_config_file"; +then + declare -A CONFIG_MAP=( + [xpack.apm.ui.enabled]=$XPACK_APM + [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS + [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS + [xpack.ml.enabled]=$XPACK_ML + [xpack.canvas.enabled]=$XPACK_CANVAS + [xpack.infra.enabled]=$XPACK_INFRA + [monitoring.enabled]=$XPACK_MONITORING + [console.enabled]=$XPACK_DEVTOOLS + ) + for i in "${!CONFIG_MAP[@]}" + do + if [ "${CONFIG_MAP[$i]}" != "" ]; then + sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file + fi + done +else + echo " +#xpack features +xpack.apm.ui.enabled: $XPACK_APM +xpack.grokdebugger.enabled: $XPACK_DEVTOOLS +xpack.searchprofiler.enabled: $XPACK_DEVTOOLS +xpack.ml.enabled: $XPACK_ML +xpack.canvas.enabled: $XPACK_CANVAS +xpack.infra.enabled: $XPACK_INFRA +xpack.monitoring.enabled: $XPACK_MONITORING +console.enabled: $XPACK_DEVTOOLS +" >> $kibana_config_file +fi diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..b7e49c7 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,19 @@ +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +FROM nginx:latest + +ENV DEBIAN_FRONTEND noninteractive + +RUN apt-get update && apt-get install -y openssl apache2-utils + +COPY config/entrypoint.sh /entrypoint.sh + +RUN chmod 755 /entrypoint.sh + +RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +VOLUME ["/etc/nginx/conf.d"] + +ENV NGINX_NAME="foo" \ + NGINX_PWD="bar" + +ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/nginx/config/entrypoint.sh b/nginx/config/entrypoint.sh new file mode 100644 index 0000000..2f4dcec --- /dev/null +++ b/nginx/config/entrypoint.sh @@ -0,0 +1,97 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +set -e + +# Generating certificates. +if [ ! -d /etc/nginx/conf.d/ssl ]; then + echo "Generating SSL certificates" + mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private + openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null +else + echo "SSL certificates already present" +fi + +# Setting users credentials. +# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b): +# +# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or +# export NGINX_CREDENTIALS="user1:pass1;user2:pass2" +# +# b) Set NGINX_CREDENTIALS in docker-compose.yml: +# NGINX_CREDENTIALS=user1:pass1;user2:pass2; or +# NGINX_CREDENTIALS=user1:pass1;user2:pass2 +# +if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then + echo "Setting users credentials" + if [ ! -z "$NGINX_CREDENTIALS" ]; then + IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS" + for index in "${!users[@]}" + do + IFS=':' read -r -a credentials <<< "${users[index]}" + if [ $index -eq 0 ]; then + htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null + else + htpasswd -b /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null + fi + done + else + # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile + htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME $NGINX_PWD >/dev/null + fi +else + echo "Kibana credentials already configured" +fi + +if [ "x${NGINX_PORT}" = "x" ]; then + NGINX_PORT=443 +fi + +if [ "x${KIBANA_HOST}" = "x" ]; then + KIBANA_HOST="kibana:5601" +fi + +echo "Configuring NGINX" + + +if [ "${NGINX_PORT}" = "443" ]; then +cat > /etc/nginx/conf.d/default.conf < /etc/nginx/conf.d/default.conf < /dev/null 2>&1 || error_and_exit "$1" +} + +exec_cmd_stdout() { + eval $1 2>&1 || error_and_exit "$1" +} + +edit_configuration() { # $1 -> setting, $2 -> value + sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" +} + +for ossecdir in "${DATA_DIRS[@]}"; do + if [ ! -e "${DATA_PATH}/${ossecdir}" ] + then + print "Installing ${ossecdir}" + exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})" + exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}" + FIRST_TIME_INSTALLATION=true + fi +done + +if [ -e ${WAZUH_INSTALL_PATH}/etc-template ] +then + cp -p /var/ossec/etc-template/internal_options.conf /var/ossec/etc/internal_options.conf +fi + +# copy missing files from queue-template (in case this is an upgrade from previous versions) +for filename in /var/ossec/queue-template/*; do + fname=$(basename $filename) + echo $fname + if test ! -e "/var/ossec/data/queue/$fname"; then + cp -rp "/var/ossec/queue-template/$fname" /var/ossec/data/queue/ + fi +done + +touch ${DATA_PATH}/process_list +chgrp ossec ${DATA_PATH}/process_list +chmod g+rw ${DATA_PATH}/process_list + +AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} +API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} + +if [ $FIRST_TIME_INSTALLATION == true ] +then + if [ $AUTO_ENROLLMENT_ENABLED == true ] + then + if [ ! -e ${DATA_PATH}/etc/sslmanager.key ] + then + print "Creating ossec-authd key and cert" + exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096" + exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/" + fi + fi + if [ $API_GENERATE_CERTS == true ] + then + if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ] + then + print "Enabling Wazuh API HTTPS" + edit_configuration "https" "yes" + print "Create Wazuh API key and cert" + exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096" + exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/" + fi + fi +fi + +############################################################################## +# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect +# destination files permissions +# +# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at +# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will +# replace the ossec.conf file in /var/ossec/data/etc with yours. +############################################################################## +if [ -e "$WAZUH_CONFIG_MOUNT" ] +then + print "Identified Wazuh configuration files to mount..." + + exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH" +else + print "No Wazuh configuration files to mount..." +fi + +function ossec_shutdown(){ + ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; +} + +############################################################################## +# Allow users to set the container hostname as dynamically on +# container start. +# +# To use this: +# 1. Create your own ossec.conf file +# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name +# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf +############################################################################## +sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf + +# Trap exit signals and do a proper shutdown +trap "ossec_shutdown; exit" SIGINT SIGTERM + +chmod -R g+rw ${DATA_PATH} +chmod 750 /var/ossec/agentless/* + +############################################################################## +# Interpret any passed arguments (via docker command to this entrypoint) as +# paths or commands, and execute them. +# +# This can be useful for actions that need to be run before the services are +# started, such as "/var/ossec/bin/ossec-control enable agentless". +############################################################################## +for CUSTOM_COMMAND in "$@" +do + echo "Executing command \`${CUSTOM_COMMAND}\`" + exec_cmd_stdout "${CUSTOM_COMMAND}" +done + +############################################################################## +# Change Wazuh API user credentials. +############################################################################## + +pushd /var/ossec/api/configuration/auth/ + +echo "Change Wazuh API user credentials" +change_user="node htpasswd -b -c user $API_USER $API_PASS" +eval $change_user + +popd diff --git a/wazuh/config/01-config_filebeat.sh b/wazuh/config/01-config_filebeat.sh new file mode 100644 index 0000000..952301e --- /dev/null +++ b/wazuh/config/01-config_filebeat.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +set -e + +# Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set +if [ "$ELASTICSEARCH_URL" != "" ]; then + >&2 echo "Customize Elasticsearch ouput IP." + sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml +fi diff --git a/wazuh/config/data_dirs.env b/wazuh/config/data_dirs.env new file mode 100644 index 0000000..e673506 --- /dev/null +++ b/wazuh/config/data_dirs.env @@ -0,0 +1,8 @@ +i=0 +DATA_DIRS[((i++))]="api/configuration" +DATA_DIRS[((i++))]="etc" +DATA_DIRS[((i++))]="logs" +DATA_DIRS[((i++))]="queue" +DATA_DIRS[((i++))]="agentless" +DATA_DIRS[((i++))]="var/multigroups" +export DATA_DIRS diff --git a/wazuh/config/entrypoint.sh b/wazuh/config/entrypoint.sh new file mode 100644 index 0000000..11bfe75 --- /dev/null +++ b/wazuh/config/entrypoint.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +# It will run every .sh script located in entrypoint-scripts folder in lexicographical order +for script in `ls /entrypoint-scripts/*.sh | sort -n`; do + bash "$script" + +done + +############################################################################## +# Start Wazuh Server. +############################################################################## + +/sbin/my_init diff --git a/wazuh/config/filebeat.runit.service b/wazuh/config/filebeat.runit.service new file mode 100644 index 0000000..fc28c4b --- /dev/null +++ b/wazuh/config/filebeat.runit.service @@ -0,0 +1,4 @@ +#!/bin/sh +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +service filebeat start +tail -f /var/log/filebeat/filebeat diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml new file mode 100644 index 0000000..4660066 --- /dev/null +++ b/wazuh/config/filebeat.yml @@ -0,0 +1,15 @@ +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false + +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.template.overwrite: true +setup.ilm.enabled: false + +output.elasticsearch.hosts: ['http://elasticsearch:9200'] \ No newline at end of file diff --git a/wazuh/config/init.bash b/wazuh/config/init.bash new file mode 100644 index 0000000..293b8c4 --- /dev/null +++ b/wazuh/config/init.bash @@ -0,0 +1,11 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +# Initialize the custom data directory layout +source /data_dirs.env + +cd /var/ossec +for ossecdir in "${DATA_DIRS[@]}"; do + mv ${ossecdir} ${ossecdir}-template + ln -s $(realpath --relative-to=$(dirname ${ossecdir}) data)/${ossecdir} ${ossecdir} +done diff --git a/wazuh/config/postfix.runit.service b/wazuh/config/postfix.runit.service new file mode 100644 index 0000000..2d27102 --- /dev/null +++ b/wazuh/config/postfix.runit.service @@ -0,0 +1,4 @@ +#!/bin/sh +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +service postfix start +tail -f /var/log/mail.log diff --git a/wazuh/config/wazuh-api.runit.service b/wazuh/config/wazuh-api.runit.service new file mode 100644 index 0000000..27caf5d --- /dev/null +++ b/wazuh/config/wazuh-api.runit.service @@ -0,0 +1,4 @@ +#!/bin/sh +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +service wazuh-api start +tail -f /var/ossec/data/logs/api.log diff --git a/wazuh/config/wazuh.runit.service b/wazuh/config/wazuh.runit.service new file mode 100644 index 0000000..50ea940 --- /dev/null +++ b/wazuh/config/wazuh.runit.service @@ -0,0 +1,4 @@ +#!/bin/sh +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +service wazuh-manager start +tail -f /var/ossec/data/logs/ossec.log