From c8184b914551919515114c69a80354b5f2f1d750 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 22 Jan 2021 17:53:43 +0100 Subject: [PATCH 01/35] Bump s6-overlay version --- wazuh-odfe/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh-odfe/Dockerfile b/wazuh-odfe/Dockerfile index 01df48b5..eb606609 100644 --- a/wazuh-odfe/Dockerfile +++ b/wazuh-odfe/Dockerfile @@ -21,7 +21,7 @@ RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-os RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module -ARG S6_VERSION="v2.1.0.2" +ARG S6_VERSION="v2.2.0.1" RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ -o /tmp/s6-overlay-amd64.tar.gz && \ tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ From 6c9506aa9a62fd75015a2fd4cbd7ae7fa9410cc6 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 23 Nov 2020 18:57:31 +0100 Subject: [PATCH 02/35] Use an ARG to select filebeat channel --- wazuh-odfe/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wazuh-odfe/Dockerfile b/wazuh-odfe/Dockerfile index 01df48b5..3acedb6c 100644 --- a/wazuh-odfe/Dockerfile +++ b/wazuh-odfe/Dockerfile @@ -1,6 +1,7 @@ # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) FROM centos:7 +ARG FILEBEAT_CHANNEL=filebeat-oss ARG FILEBEAT_VERSION=7.9.1 ARG WAZUH_VERSION=4.0.4-1 ARG TEMPLATE_VERSION="master" @@ -16,8 +17,8 @@ RUN yum --enablerepo=updates clean metadata && \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \ yum clean all && rm -rf /var/cache/yum -RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\ - rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm +RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\ + rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module From c3943a15232fadfe564bd9ef24ea0e08084da104 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 1 Dec 2020 18:23:36 +0100 Subject: [PATCH 03/35] Backport kibana-xpack image to v4 --- kibana/Dockerfile | 65 ++++++++++++ kibana/config/entrypoint.sh | 60 +++++++++++ kibana/config/kibana_settings.sh | 82 +++++++++++++++ kibana/config/wazuh.yml | 162 ++++++++++++++++++++++++++++++ kibana/config/wazuh_app_config.sh | 64 ++++++++++++ kibana/config/xpack_config.sh | 35 +++++++ 6 files changed, 468 insertions(+) create mode 100644 kibana/Dockerfile create mode 100644 kibana/config/entrypoint.sh create mode 100644 kibana/config/kibana_settings.sh create mode 100644 kibana/config/wazuh.yml create mode 100644 kibana/config/wazuh_app_config.sh create mode 100644 kibana/config/xpack_config.sh diff --git a/kibana/Dockerfile b/kibana/Dockerfile new file mode 100644 index 00000000..20245926 --- /dev/null +++ b/kibana/Dockerfile @@ -0,0 +1,65 @@ +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +ARG KIBANA_IMAGE=docker.elastic.co/kibana/kibana:7.9.3 +FROM ${KIBANA_IMAGE} +USER kibana +ARG ELASTIC_VERSION=7.9.3 +ARG WAZUH_VERSION=4.0.3 +ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" + +WORKDIR /usr/share/kibana +RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip + +ENV PATTERN="" \ + CHECKS_PATTERN="" \ + CHECKS_TEMPLATE="" \ + CHECKS_API="" \ + CHECKS_SETUP="" \ + EXTENSIONS_PCI="" \ + EXTENSIONS_GDPR="" \ + EXTENSIONS_HIPAA="" \ + EXTENSIONS_NIST="" \ + EXTENSIONS_TSC="" \ + EXTENSIONS_AUDIT="" \ + EXTENSIONS_OSCAP="" \ + EXTENSIONS_CISCAT="" \ + EXTENSIONS_AWS="" \ + EXTENSIONS_GCP="" \ + EXTENSIONS_VIRUSTOTAL="" \ + EXTENSIONS_OSQUERY="" \ + EXTENSIONS_DOCKER="" \ + APP_TIMEOUT="" \ + API_SELECTOR="" \ + IP_SELECTOR="" \ + IP_IGNORE="" \ + WAZUH_MONITORING_ENABLED="" \ + WAZUH_MONITORING_FREQUENCY="" \ + WAZUH_MONITORING_SHARDS="" \ + WAZUH_MONITORING_REPLICAS="" \ + ADMIN_PRIVILEGES="" \ + XPACK_CANVAS="true" \ + XPACK_LOGS="true" \ + XPACK_INFRA="true" \ + XPACK_ML="true" \ + XPACK_DEVTOOLS="true" \ + XPACK_MONITORING="true" \ + XPACK_APM="true" + +WORKDIR / +USER kibana +RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize + +COPY --chown=kibana:kibana config/entrypoint.sh ./entrypoint.sh +RUN chmod 755 ./entrypoint.sh + +COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml +COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ +RUN chmod +x ./wazuh_app_config.sh + +COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ +RUN chmod +x ./kibana_settings.sh + +COPY --chown=kibana:kibana ./config/xpack_config.sh ./ +RUN chmod +x ./xpack_config.sh +RUN ./xpack_config.sh + +ENTRYPOINT ./entrypoint.sh diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh new file mode 100644 index 00000000..885fb7d6 --- /dev/null +++ b/kibana/config/entrypoint.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +set -e + +############################################################################## +# Waiting for elasticsearch +############################################################################## + +if [ "x${ELASTICSEARCH_URL}" = "x" ]; then + export el_url="http://elasticsearch:9200" +else + export el_url="${ELASTICSEARCH_URL}" +fi + +if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + auth="" +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" +fi + +until curl -XGET $el_url ${auth}; do + >&2 echo "Elastic is unavailable - sleeping" + sleep 5 +done + +sleep 2 + +>&2 echo "Elasticsearch is up." + + +############################################################################## +# Waiting for wazuh alerts template +############################################################################## + +strlen=0 + +while [[ $strlen -eq 0 ]] +do + template=$(curl ${auth} $el_url/_cat/templates/wazuh -s) + strlen=${#template} + >&2 echo "Wazuh alerts template not loaded - sleeping." + sleep 2 +done + +sleep 2 + +>&2 echo "Wazuh alerts template is loaded." + +./xpack_config.sh + +./wazuh_app_config.sh + +sleep 5 + +./kibana_settings.sh & + +sleep 2 + +/usr/local/bin/kibana-docker diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh new file mode 100644 index 00000000..137d5d47 --- /dev/null +++ b/kibana/config/kibana_settings.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +WAZUH_MAJOR=4 + +############################################################################## +# Wait for the Kibana API to start. It is necessary to do it in this container +# because the others are running Elastic Stack and we can not interrupt them. +# +# The following actions are performed: +# +# Add the wazuh alerts index as default. +# Set the Discover time interval to 24 hours instead of 15 minutes. +# Do not ask user to help providing usage statistics to Elastic. +############################################################################## + +############################################################################## +# Customize elasticsearch ip +############################################################################## +sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml + +# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate. +if [ "$KIBANA_INDEX" != "" ]; then + if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then + sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml + fi + echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml +fi + +if [ "$XPACK_SECURITY_ENABLED" != "" ]; then + if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then + sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml + fi + echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml +fi + +if [ "$KIBANA_IP" != "" ]; then + kibana_ip="$KIBANA_IP" +else + kibana_ip="kibana" +fi + +# Add auth headers if required +if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then + curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" +fi + +while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' kibana:5601/status)" != "200" ]]; do + echo "Waiting for Kibana API. Sleeping 5 seconds" + sleep 5 +done + + + +# Prepare index selection. +echo "Kibana API is running" + +default_index="/tmp/default_index.json" + +cat > ${default_index} << EOF +{ + "changes": { + "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*" + } +} +EOF + +sleep 5 +# Add the wazuh alerts index as default. +curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +rm -f ${default_index} + +sleep 5 +# Configuring Kibana TimePicker. +curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' + +sleep 5 +# Do not ask user to help providing usage statistics to Elastic +curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' + +echo "End settings" diff --git a/kibana/config/wazuh.yml b/kibana/config/wazuh.yml new file mode 100644 index 00000000..6c52d526 --- /dev/null +++ b/kibana/config/wazuh.yml @@ -0,0 +1,162 @@ +--- +# +# Wazuh app - App configuration file +# Copyright (C) 2015-2020 Wazuh, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Find more information about this on the LICENSE file. +# +# ======================== Wazuh app configuration file ======================== +# +# Please check the documentation for more information on configuration options: +# https://documentation.wazuh.com/current/installation-guide/index.html +# +# Also, you can check our repository: +# https://github.com/wazuh/wazuh-kibana-app +# +# ------------------------------- Index patterns ------------------------------- +# +# Default index pattern to use. +#pattern: wazuh-alerts-* +# +# ----------------------------------- Checks ----------------------------------- +# +# Defines which checks must to be consider by the healthcheck +# step once the Wazuh app starts. Values must to be true or false. +#checks.pattern : true +#checks.template: true +#checks.api : true +#checks.setup : true +#checks.metaFields: true +# +# --------------------------------- Extensions --------------------------------- +# +# Defines which extensions should be activated when you add a new API entry. +# You can change them after Wazuh app starts. +# Values must to be true or false. +#extensions.pci : true +#extensions.gdpr : true +#extensions.hipaa : true +#extensions.nist : true +#extensions.tsc : true +#extensions.audit : true +#extensions.oscap : false +#extensions.ciscat : false +#extensions.aws : false +#extensions.gcp : false +#extensions.virustotal: false +#extensions.osquery : false +#extensions.docker : false +# +# ---------------------------------- Time out ---------------------------------- +# +# Defines maximum timeout to be used on the Wazuh app requests. +# It will be ignored if it is bellow 1500. +# It means milliseconds before we consider a request as failed. +# Default: 20000 +#timeout: 20000 +# +# -------------------------------- API selector -------------------------------- +# +# Defines if the user is allowed to change the selected +# API directly from the Wazuh app top menu. +# Default: true +#api.selector: true +# +# --------------------------- Index pattern selector --------------------------- +# +# Defines if the user is allowed to change the selected +# index pattern directly from the Wazuh app top menu. +# Default: true +#ip.selector: true +# +# List of index patterns to be ignored +#ip.ignore: [] +# +# -------------------------------- X-Pack RBAC --------------------------------- +# +# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. +# Default: enabled +#xpack.rbac.enabled: true +# +# ------------------------------ wazuh-monitoring ------------------------------ +# +# Custom setting to enable/disable wazuh-monitoring indices. +# Values: true, false, worker +# If worker is given as value, the app will show the Agents status +# visualization but won't insert data on wazuh-monitoring indices. +# Default: true +#wazuh.monitoring.enabled: true +# +# Custom setting to set the frequency for wazuh-monitoring indices cron task. +# Default: 900 (s) +#wazuh.monitoring.frequency: 900 +# +# Configure wazuh-monitoring-* indices shards and replicas. +#wazuh.monitoring.shards: 2 +#wazuh.monitoring.replicas: 0 +# +# Configure wazuh-monitoring-* indices custom creation interval. +# Values: h (hourly), d (daily), w (weekly), m (monthly) +# Default: d +#wazuh.monitoring.creation: d +# +# Default index pattern to use for Wazuh monitoring +#wazuh.monitoring.pattern: wazuh-monitoring-* +# +# --------------------------------- wazuh-cron ---------------------------------- +# +# Customize the index prefix of predefined jobs +# This change is not retroactive, if you change it new indexes will be created +# cron.prefix: test +# +# ------------------------------ wazuh-statistics ------------------------------- +# +# Custom setting to enable/disable statistics tasks. +#cron.statistics.status: true +# +# Enter the ID of the APIs you want to save data from, leave this empty to run +# the task on all configured APIs +#cron.statistics.apis: [] +# +# Define the frequency of task execution using cron schedule expressions +#cron.statistics.interval: 0 0 * * * * +# +# Define the name of the index in which the documents are to be saved. +#cron.statistics.index.name: statistics +# +# Define the interval in which the index will be created +#cron.statistics.index.creation: w +# +# ------------------------------- App privileges -------------------------------- +#admin: true +# +# ---------------------------- Hide manager alerts ------------------------------ +# Hide the alerts of the manager in all dashboards and discover +#hideManagerAlerts: false +# +# ------------------------------- App logging level ----------------------------- +# Set the logging level for the Wazuh App log files. +# Default value: info +# Allowed values: info, debug +#logs.level: info +# +# -------------------------------- Enrollment DNS ------------------------------- +# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment. +# Default value: '' +#enrollment.dns: '' +# +#-------------------------------- API entries ----------------------------------- +#The following configuration is the default structure to define an API entry. +# +#hosts: +# - : +# url: http(s):// +# port: +# username: +# password: + diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh new file mode 100644 index 00000000..7ff90337 --- /dev/null +++ b/kibana/config/wazuh_app_config.sh @@ -0,0 +1,64 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +wazuh_url="${WAZUH_API_URL:-https://wazuh}" +wazuh_port="${API_PORT:-55000}" +api_username="${API_USERNAME:-wazuh-wui}" +api_password="${API_PASSWORD:-wazuh-wui}" + +kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" + +declare -A CONFIG_MAP=( + [pattern]=$PATTERN + [checks.pattern]=$CHECKS_PATTERN + [checks.template]=$CHECKS_TEMPLATE + [checks.api]=$CHECKS_API + [checks.setup]=$CHECKS_SETUP + [extensions.pci]=$EXTENSIONS_PCI + [extensions.gdpr]=$EXTENSIONS_GDPR + [extensions.hipaa]=$EXTENSIONS_HIPAA + [extensions.nist]=$EXTENSIONS_NIST + [extensions.tsc]=$EXTENSIONS_TSC + [extensions.audit]=$EXTENSIONS_AUDIT + [extensions.oscap]=$EXTENSIONS_OSCAP + [extensions.ciscat]=$EXTENSIONS_CISCAT + [extensions.aws]=$EXTENSIONS_AWS + [extensions.gcp]=$EXTENSIONS_GCP + [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL + [extensions.osquery]=$EXTENSIONS_OSQUERY + [extensions.docker]=$EXTENSIONS_DOCKER + [timeout]=$APP_TIMEOUT + [api.selector]=$API_SELECTOR + [ip.selector]=$IP_SELECTOR + [ip.ignore]=$IP_IGNORE + [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED + [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY + [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS + [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS + [admin]=$ADMIN_PRIVILEGES +) + +for i in "${!CONFIG_MAP[@]}" +do + if [ "${CONFIG_MAP[$i]}" != "" ]; then + sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file + fi +done + +CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013) + +grep -q 1513629884013 $kibana_config_file +_config_exists=$? + +if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then +cat << EOF >> $kibana_config_file +hosts: + - 1513629884013: + url: $wazuh_url + port: $wazuh_port + username: $api_username + password: $api_password +EOF +else + echo "Wazuh APP already configured" +fi diff --git a/kibana/config/xpack_config.sh b/kibana/config/xpack_config.sh new file mode 100644 index 00000000..fedfad4e --- /dev/null +++ b/kibana/config/xpack_config.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) + +kibana_config_file="/usr/share/kibana/config/kibana.yml" +if grep -Fq "#xpack features" "$kibana_config_file"; +then + declare -A CONFIG_MAP=( + [xpack.apm.ui.enabled]=$XPACK_APM + [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS + [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS + [xpack.ml.enabled]=$XPACK_ML + [xpack.canvas.enabled]=$XPACK_CANVAS + [xpack.infra.enabled]=$XPACK_INFRA + [xpack.monitoring.enabled]=$XPACK_MONITORING + [console.enabled]=$XPACK_DEVTOOLS + ) + for i in "${!CONFIG_MAP[@]}" + do + if [ "${CONFIG_MAP[$i]}" != "" ]; then + sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file + fi + done +else + echo " +#xpack features +xpack.apm.ui.enabled: $XPACK_APM +xpack.grokdebugger.enabled: $XPACK_DEVTOOLS +xpack.searchprofiler.enabled: $XPACK_DEVTOOLS +xpack.ml.enabled: $XPACK_ML +xpack.canvas.enabled: $XPACK_CANVAS +xpack.infra.enabled: $XPACK_INFRA +xpack.monitoring.enabled: $XPACK_MONITORING +console.enabled: $XPACK_DEVTOOLS +" >> $kibana_config_file +fi From d2c91ff90aa5750d2d95c49105f093fa2f5300bf Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 1 Dec 2020 18:29:17 +0100 Subject: [PATCH 04/35] Remove useless ARG --- kibana/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 20245926..2be788d4 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,6 +1,5 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -ARG KIBANA_IMAGE=docker.elastic.co/kibana/kibana:7.9.3 -FROM ${KIBANA_IMAGE} +FROM docker.elastic.co/kibana/kibana:7.9.3 USER kibana ARG ELASTIC_VERSION=7.9.3 ARG WAZUH_VERSION=4.0.3 From 0ce9aa9991f5fb70ca831bfd09979041aed2b56b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 2 Dec 2020 17:49:49 +0100 Subject: [PATCH 05/35] Set Wazuh app as default route --- kibana/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 2be788d4..4e8a3033 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -50,6 +50,8 @@ RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --opti COPY --chown=kibana:kibana config/entrypoint.sh ./entrypoint.sh RUN chmod 755 ./entrypoint.sh +RUN printf "\nserver.defaultRoute: /app/wazuh\n" >> /usr/share/kibana/config/kibana.yml + COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ RUN chmod +x ./wazuh_app_config.sh From 13ad83778717dfa2b0071c81e62be5630055447a Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 2 Dec 2020 17:50:34 +0100 Subject: [PATCH 06/35] Remove duplicated xpack_config exec --- kibana/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 4e8a3033..813705c4 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -61,6 +61,5 @@ RUN chmod +x ./kibana_settings.sh COPY --chown=kibana:kibana ./config/xpack_config.sh ./ RUN chmod +x ./xpack_config.sh -RUN ./xpack_config.sh ENTRYPOINT ./entrypoint.sh From 0d5d167a5d7c2873f4d769ef7e4ce689b26bbae4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 3 Dec 2020 18:23:45 +0100 Subject: [PATCH 07/35] Add sample compose for xpack variant --- xpack-compose.yml | 85 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 xpack-compose.yml diff --git a/xpack-compose.yml b/xpack-compose.yml new file mode 100644 index 00000000..42faafa3 --- /dev/null +++ b/xpack-compose.yml @@ -0,0 +1,85 @@ +# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) +version: '3.7' + +services: + wazuh: + build: + context: wazuh-odfe/ + args: + - FILEBEAT_CHANNEL=filebeat + - FILEBEAT_VERSION=7.9.3 + image: wazuh/wazuh:4.0.3_7.9.3_dev + hostname: wazuh-manager + restart: always + ports: + - "1514:1514" + - "1515:1515" + - "514:514/udp" + - "55000:55000" + environment: + - ELASTICSEARCH_URL=http://elasticsearch:9200 + - ELASTIC_USERNAME=admin + - ELASTIC_PASSWORD=admin + - FILEBEAT_SSL_VERIFICATION_MODE=none + volumes: + - ossec_api_configuration:/var/ossec/api/configuration + - ossec_etc:/var/ossec/etc + - ossec_logs:/var/ossec/logs + - ossec_queue:/var/ossec/queue + - ossec_var_multigroups:/var/ossec/var/multigroups + - ossec_integrations:/var/ossec/integrations + - ossec_active_response:/var/ossec/active-response/bin + - ossec_agentless:/var/ossec/agentless + - ossec_wodles:/var/ossec/wodles + - filebeat_etc:/etc/filebeat + - filebeat_var:/var/lib/filebeat + + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + hostname: elasticsearch + restart: always + ports: + - "9200:9200" + environment: + - discovery.type=single-node + - cluster.name=wazuh-cluster + - network.host=0.0.0.0 + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + + kibana: + build: kibana/ + image: wazuh/wazuh-kibana:4.0.3_7.9.3_dev + hostname: kibana + restart: always + ports: + - 5601:5601 + environment: + - ELASTICSEARCH_USERNAME=admin + - ELASTICSEARCH_PASSWORD=admin + - ELASTICSEARCH_URL=http://elasticsearch:9200 + depends_on: + - elasticsearch + links: + - elasticsearch:elasticsearch + - wazuh:wazuh + +volumes: + ossec_api_configuration: + ossec_etc: + ossec_logs: + ossec_queue: + ossec_var_multigroups: + ossec_integrations: + ossec_active_response: + ossec_agentless: + ossec_wodles: + filebeat_etc: + filebeat_var: From 59b55c6d5c04460e461577e4d2aacdd5daf46fb9 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 29 Jan 2021 13:12:49 +0100 Subject: [PATCH 08/35] Bump to 4.0.4 --- kibana/Dockerfile | 4 ++-- xpack-compose.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 813705c4..69ad44fa 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,8 +1,8 @@ -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) FROM docker.elastic.co/kibana/kibana:7.9.3 USER kibana ARG ELASTIC_VERSION=7.9.3 -ARG WAZUH_VERSION=4.0.3 +ARG WAZUH_VERSION=4.0.4 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana diff --git a/xpack-compose.yml b/xpack-compose.yml index 42faafa3..fbbc20c3 100644 --- a/xpack-compose.yml +++ b/xpack-compose.yml @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) version: '3.7' services: @@ -8,7 +8,7 @@ services: args: - FILEBEAT_CHANNEL=filebeat - FILEBEAT_VERSION=7.9.3 - image: wazuh/wazuh:4.0.3_7.9.3_dev + image: wazuh/wazuh:4.0.4_7.9.3_dev hostname: wazuh-manager restart: always ports: @@ -56,7 +56,7 @@ services: kibana: build: kibana/ - image: wazuh/wazuh-kibana:4.0.3_7.9.3_dev + image: wazuh/wazuh-kibana:4.0.4_7.9.3_dev hostname: kibana restart: always ports: From e683a68cb4f0ae40377dccf04a4810b168633745 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 29 Jan 2021 13:13:29 +0100 Subject: [PATCH 09/35] Bump copyright --- kibana/config/entrypoint.sh | 2 +- kibana/config/kibana_settings.sh | 2 +- kibana/config/wazuh.yml | 2 +- kibana/config/wazuh_app_config.sh | 2 +- kibana/config/xpack_config.sh | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh index 885fb7d6..b0e7ad56 100644 --- a/kibana/config/entrypoint.sh +++ b/kibana/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) set -e diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index 137d5d47..9b6a5768 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) WAZUH_MAJOR=4 diff --git a/kibana/config/wazuh.yml b/kibana/config/wazuh.yml index 6c52d526..3b074c61 100644 --- a/kibana/config/wazuh.yml +++ b/kibana/config/wazuh.yml @@ -1,7 +1,7 @@ --- # # Wazuh app - App configuration file -# Copyright (C) 2015-2020 Wazuh, Inc. +# Copyright (C) 2015-2021 Wazuh, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh index 7ff90337..c08980a5 100644 --- a/kibana/config/wazuh_app_config.sh +++ b/kibana/config/wazuh_app_config.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) wazuh_url="${WAZUH_API_URL:-https://wazuh}" wazuh_port="${API_PORT:-55000}" diff --git a/kibana/config/xpack_config.sh b/kibana/config/xpack_config.sh index fedfad4e..afc593e9 100644 --- a/kibana/config/xpack_config.sh +++ b/kibana/config/xpack_config.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) kibana_config_file="/usr/share/kibana/config/kibana.yml" if grep -Fq "#xpack features" "$kibana_config_file"; From 217be9a0757066afbdf2898e1686b4a0dd26480d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 2 Feb 2021 18:57:16 +0100 Subject: [PATCH 10/35] Fix curl auth params --- kibana/config/entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh index b0e7ad56..2edeaaf2 100644 --- a/kibana/config/entrypoint.sh +++ b/kibana/config/entrypoint.sh @@ -13,10 +13,10 @@ else export el_url="${ELASTICSEARCH_URL}" fi -if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then - auth="" +if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + export auth="" else - auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" + export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k" fi until curl -XGET $el_url ${auth}; do From cd7d882261500af705b14d149aa79202843e1514 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 2 Feb 2021 18:59:46 +0100 Subject: [PATCH 11/35] Use kibana_proto --- kibana/config/kibana_settings.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index 9b6a5768..5163d3cc 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -27,7 +27,10 @@ if [ "$KIBANA_INDEX" != "" ]; then echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml fi +kibana_proto="http" + if [ "$XPACK_SECURITY_ENABLED" != "" ]; then + kibana_proto="https" if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml fi @@ -45,7 +48,7 @@ if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; t curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" fi -while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' kibana:5601/status)" != "200" ]]; do +while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' -k $kibana_proto://127.0.0.1:5601/status)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done @@ -67,16 +70,16 @@ EOF sleep 5 # Add the wazuh alerts index as default. -curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} rm -f ${default_index} sleep 5 # Configuring Kibana TimePicker. -curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ '{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' sleep 5 # Do not ask user to help providing usage statistics to Elastic -curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' +curl -POST "$kibana_proto://127.0.0.1:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' echo "End settings" From 7a99967144e14a22e1daa9d5a2a54657a9c520e2 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 2 Feb 2021 19:00:06 +0100 Subject: [PATCH 12/35] Remove kibana_ip --- kibana/config/kibana_settings.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index 5163d3cc..b883b31b 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -37,12 +37,6 @@ if [ "$XPACK_SECURITY_ENABLED" != "" ]; then echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml fi -if [ "$KIBANA_IP" != "" ]; then - kibana_ip="$KIBANA_IP" -else - kibana_ip="kibana" -fi - # Add auth headers if required if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" From f4c484e8878a2e4b07be8ae6289c91f587ffb4a0 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 3 Feb 2021 11:32:07 +0100 Subject: [PATCH 13/35] Re-enable entrypoint scripts --- wazuh-odfe/config/etc/cont-init.d/2-manager | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/wazuh-odfe/config/etc/cont-init.d/2-manager b/wazuh-odfe/config/etc/cont-init.d/2-manager index 4419011a..e5956cb5 100644 --- a/wazuh-odfe/config/etc/cont-init.d/2-manager +++ b/wazuh-odfe/config/etc/cont-init.d/2-manager @@ -102,6 +102,16 @@ EOF fi } +function_entrypoint_scripts() { + # It will run every .sh script located in entrypoint-scripts folder in lexicographical order + if [ -d "/entrypoint-scripts/" ] + then + for script in `ls /entrypoint-scripts/*.sh | sort -n`; do + bash "$script" + done + fi +} + # Migrate data from /wazuh-migration volume function_wazuh_migration @@ -109,5 +119,8 @@ function_wazuh_migration # create API custom user function_create_custom_user +# run entrypoint scripts +function_entrypoint_scripts + # Start Wazuh /var/ossec/bin/ossec-control start From d84631761a920eb994b26c633b319a3feecd9e9b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 4 Feb 2021 18:25:39 +0100 Subject: [PATCH 14/35] Update xpack-compose --- xpack-compose.yml | 125 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 116 insertions(+), 9 deletions(-) diff --git a/xpack-compose.yml b/xpack-compose.yml index fbbc20c3..52025636 100644 --- a/xpack-compose.yml +++ b/xpack-compose.yml @@ -17,10 +17,13 @@ services: - "514:514/udp" - "55000:55000" environment: - - ELASTICSEARCH_URL=http://elasticsearch:9200 - - ELASTIC_USERNAME=admin - - ELASTIC_PASSWORD=admin + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - ELASTIC_USERNAME=elastic + - ELASTIC_PASSWORD=SecretPassword - FILEBEAT_SSL_VERIFICATION_MODE=none + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt + - SSL_CERTIFICATE=/etc/ssl/wazuh.crt + - SSL_KEY=/etc/ssl/wazuh.key volumes: - ossec_api_configuration:/var/ossec/api/configuration - ossec_etc:/var/ossec/etc @@ -33,6 +36,10 @@ services: - ossec_wodles:/var/ossec/wodles - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat + - ./xpack/ca/ca.crt:/etc/ssl/ca.crt + - ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt + - ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key + elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 @@ -41,11 +48,59 @@ services: ports: - "9200:9200" environment: - - discovery.type=single-node - cluster.name=wazuh-cluster - - network.host=0.0.0.0 + - node.name=elasticsearch + - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3 + - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3 + - ELASTIC_PASSWORD=SecretPassword + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + - xpack.license.self_generated.type=basic + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt + - ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key + - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt + + elasticsearch2: + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + hostname: elasticsearch2 + restart: always + environment: + - cluster.name=wazuh-cluster + - node.name=elasticsearch2 + - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3 + - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3 + - ELASTIC_PASSWORD=SecretPassword - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - bootstrap.memory_lock=true + - xpack.license.self_generated.type=basic + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt ulimits: memlock: soft: -1 @@ -53,6 +108,47 @@ services: nofile: soft: 65536 hard: 65536 + volumes: + - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt + - ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key + - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt + + elasticsearch3: + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + hostname: elasticsearch3 + restart: always + environment: + - cluster.name=wazuh-cluster + - node.name=elasticsearch3 + - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3 + - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3 + - ELASTIC_PASSWORD=SecretPassword + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + - xpack.license.self_generated.type=basic + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt + - ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key + - ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt + + kibana: build: kibana/ @@ -60,11 +156,22 @@ services: hostname: kibana restart: always ports: - - 5601:5601 + - 443:5601 environment: - - ELASTICSEARCH_USERNAME=admin - - ELASTICSEARCH_PASSWORD=admin - - ELASTICSEARCH_URL=http://elasticsearch:9200 + - SERVERNAME=localhost + - ELASTICSEARCH_USERNAME=elastic + - ELASTICSEARCH_PASSWORD=SecretPassword + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - ELASTICSEARCH_HOSTS=https://elasticsearch:9200 + - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt + - SERVER_SSL_ENABLED=true + - XPACK_SECURITY_ENABLED=true + - SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt + volumes: + - ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt + - ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key + - ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt depends_on: - elasticsearch links: From e20fb6e728a25dcbd37dfc57f1d628b0db824477 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 4 Feb 2021 18:26:04 +0100 Subject: [PATCH 15/35] Add generate-elasticsearch-certs.yml and instances.yml --- generate-elasticsearch-certs.yml | 17 ++++++++++++++++ xpack/instances.yml | 35 ++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 generate-elasticsearch-certs.yml create mode 100644 xpack/instances.yml diff --git a/generate-elasticsearch-certs.yml b/generate-elasticsearch-certs.yml new file mode 100644 index 00000000..194696f6 --- /dev/null +++ b/generate-elasticsearch-certs.yml @@ -0,0 +1,17 @@ +version: '2.2' + +services: + create_certs: + container_name: create_certs + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + command: > + bash -c ' + if [[ ! -f config/certificates/bundle.zip ]]; then + bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out config/certificates/bundle.zip; + unzip config/certificates/bundle.zip -d config/certificates/; + fi; + chown -R 1000:0 /certs + ' + user: "0" + working_dir: /usr/share/elasticsearch + volumes: ['./xpack:/usr/share/elasticsearch/config/certificates'] diff --git a/xpack/instances.yml b/xpack/instances.yml new file mode 100644 index 00000000..a6a61904 --- /dev/null +++ b/xpack/instances.yml @@ -0,0 +1,35 @@ +instances: + - name: elasticsearch + dns: + - elasticsearch + - localhost + ip: + - 127.0.0.1 + + - name: elasticsearch2 + dns: + - elasticsearch2 + - localhost + ip: + - 127.0.0.1 + + - name: elasticsearch3 + dns: + - elasticsearch3 + - localhost + ip: + - 127.0.0.1 + + - name: kibana + dns: + - kibana + - localhost + ip: + - 127.0.0.1 + + - name: wazuh + dns: + - wazuh + - localhost + ip: + - 127.0.0.1 \ No newline at end of file From 1cc88b3097dfa0a48b42b1bb99de238186c2dacb Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 4 Feb 2021 18:33:04 +0100 Subject: [PATCH 16/35] Rename cert generator container name --- generate-elasticsearch-certs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/generate-elasticsearch-certs.yml b/generate-elasticsearch-certs.yml index 194696f6..f2e3b8cf 100644 --- a/generate-elasticsearch-certs.yml +++ b/generate-elasticsearch-certs.yml @@ -1,8 +1,8 @@ version: '2.2' services: - create_certs: - container_name: create_certs + generator: + container_name: generator image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 command: > bash -c ' From ca11769d4fa276a6089af8df380a8e0d317a8d49 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 5 Feb 2021 16:13:48 +0100 Subject: [PATCH 17/35] Remove dev tag from version --- xpack-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xpack-compose.yml b/xpack-compose.yml index 52025636..ad4720ae 100644 --- a/xpack-compose.yml +++ b/xpack-compose.yml @@ -8,7 +8,7 @@ services: args: - FILEBEAT_CHANNEL=filebeat - FILEBEAT_VERSION=7.9.3 - image: wazuh/wazuh:4.0.4_7.9.3_dev + image: wazuh/wazuh:4.0.4_7.9.3 hostname: wazuh-manager restart: always ports: @@ -152,7 +152,7 @@ services: kibana: build: kibana/ - image: wazuh/wazuh-kibana:4.0.4_7.9.3_dev + image: wazuh/wazuh-kibana:4.0.4_7.9.3 hostname: kibana restart: always ports: From 64db5f90678d42175b1ada56578d356bcbfdef7b Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 15 Feb 2021 18:02:24 +0100 Subject: [PATCH 18/35] Add goss binary for health checks --- wazuh-odfe/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/wazuh-odfe/Dockerfile b/wazuh-odfe/Dockerfile index d9dbc63f..c855dd07 100644 --- a/wazuh-odfe/Dockerfile +++ b/wazuh-odfe/Dockerfile @@ -22,6 +22,8 @@ RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_ RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module +RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss + ARG S6_VERSION="v2.2.0.1" RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ -o /tmp/s6-overlay-amd64.tar.gz && \ From b290efb376c877255aaf5847f3ecf5614fa8a698 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 16 Feb 2021 17:09:09 +0100 Subject: [PATCH 19/35] Update version --- VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 7563f1f1..37c74115 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="4.0.4_1.11.0" -REVISION="40400" +WAZUH-DOCKER_VERSION="4.1.0" +REVISION="41000" From b7afcf764612b34f7b2c4b197d7f1e0151349e2f Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 16 Feb 2021 17:09:28 +0100 Subject: [PATCH 20/35] Bump odfe version --- build-from-sources.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-from-sources.yml b/build-from-sources.yml index 49120850..14e21304 100644 --- a/build-from-sources.yml +++ b/build-from-sources.yml @@ -31,7 +31,7 @@ services: - filebeat_var:/var/lib/filebeat elasticsearch: - image: amazon/opendistro-for-elasticsearch:1.11.0 + image: amazon/opendistro-for-elasticsearch:1.12.0 hostname: elasticsearch restart: always ports: From e3d1aa16d0690a28672e4e9364ac6422bf619091 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 16 Feb 2021 17:16:55 +0100 Subject: [PATCH 21/35] Update compatibility matrix --- README.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 257810a5..b559095d 100644 --- a/README.md +++ b/README.md @@ -148,22 +148,24 @@ ADMIN_PRIVILEGES=true # App privileges * `4.0` branch on correspond to the latest Wazuh-Docker stable version. * `master` branch contains the latest code, be aware of possible bugs on this branch. -* `Wazuh.Version_ElasticStack.Version` (for example 3.13.1_7.8.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. +* `Wazuh.Version` (for example 3.13.1_7.8.0 or 4.1.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. ## Compatibility Matrix -| Wazuh version | ODFE | -|---------------|---------| -| v4.0.4 | 1.11.0 | -|---------------|---------| -| v4.0.3 | 1.11.0 | -|---------------|---------| -| v4.0.2 | 1.11.0 | -|---------------|---------| -| v4.0.1 | 1.11.0 | -|---------------|---------| -| v4.0.0 | 1.10.1 | +| Wazuh version | ODFE | XPACK | +|---------------|---------|--------| +| v4.1.0 | 1.12.0 | 7.10.2 | +|---------------|---------|--------| +| v4.0.4 | 1.11.0 | | +|---------------|---------|--------| +| v4.0.3 | 1.11.0 | | +|---------------|---------|--------| +| v4.0.2 | 1.11.0 | | +|---------------|---------|--------| +| v4.0.1 | 1.11.0 | | +|---------------|---------|--------| +| v4.0.0 | 1.10.1 | | ## Credits and Thank you From 7cc89ffdb1e98536cdab0161790f986122349c63 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 16 Feb 2021 17:17:54 +0100 Subject: [PATCH 22/35] Bump versions --- wazuh-odfe/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wazuh-odfe/Dockerfile b/wazuh-odfe/Dockerfile index c855dd07..fe308504 100644 --- a/wazuh-odfe/Dockerfile +++ b/wazuh-odfe/Dockerfile @@ -2,8 +2,8 @@ FROM centos:7 ARG FILEBEAT_CHANNEL=filebeat-oss -ARG FILEBEAT_VERSION=7.9.1 -ARG WAZUH_VERSION=4.0.4-1 +ARG FILEBEAT_VERSION=7.10.0 +ARG WAZUH_VERSION=4.1.0-1 ARG TEMPLATE_VERSION="master" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" @@ -24,7 +24,7 @@ RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | t RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss -ARG S6_VERSION="v2.2.0.1" +ARG S6_VERSION="v2.2.0.3" RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ -o /tmp/s6-overlay-amd64.tar.gz && \ tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ From 1c512ae437121c8cb478eb1b034d7eec224eee85 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 16 Feb 2021 17:19:08 +0100 Subject: [PATCH 23/35] Bump versions and update path --- kibana-odfe/Dockerfile | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kibana-odfe/Dockerfile b/kibana-odfe/Dockerfile index de07eac0..bebc0480 100644 --- a/kibana-odfe/Dockerfile +++ b/kibana-odfe/Dockerfile @@ -1,8 +1,8 @@ # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) -FROM amazon/opendistro-for-elasticsearch-kibana:1.11.0 +FROM amazon/opendistro-for-elasticsearch-kibana:1.12.0 USER kibana -ARG ELASTIC_VERSION=7.9.1 -ARG WAZUH_VERSION=4.0.4 +ARG ELASTIC_VERSION=7.10.0 +ARG WAZUH_VERSION=4.1.0 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana @@ -42,7 +42,6 @@ ENV PATTERN="" \ ADMIN_PRIVILEGES="" USER kibana -RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize COPY ./config/custom_welcome /tmp/custom_welcome COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./ @@ -50,7 +49,7 @@ RUN chmod +x ./welcome_wazuh.sh ARG CHANGE_WELCOME="true" RUN ./welcome_wazuh.sh -COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml +COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ RUN chmod +x ./wazuh_app_config.sh From 7e75b29a0f8f914f35329aad367d21ae035d9d2c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 14:07:55 +0100 Subject: [PATCH 24/35] Update paths --- kibana-odfe/config/wazuh_app_config.sh | 2 +- kibana-odfe/config/welcome_wazuh.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kibana-odfe/config/wazuh_app_config.sh b/kibana-odfe/config/wazuh_app_config.sh index c08980a5..fddf93b4 100644 --- a/kibana-odfe/config/wazuh_app_config.sh +++ b/kibana-odfe/config/wazuh_app_config.sh @@ -6,7 +6,7 @@ wazuh_port="${API_PORT:-55000}" api_username="${API_USERNAME:-wazuh-wui}" api_password="${API_PASSWORD:-wazuh-wui}" -kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" +kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml" declare -A CONFIG_MAP=( [pattern]=$PATTERN diff --git a/kibana-odfe/config/welcome_wazuh.sh b/kibana-odfe/config/welcome_wazuh.sh index 50b1d56e..b0bcfc70 100644 --- a/kibana-odfe/config/welcome_wazuh.sh +++ b/kibana-odfe/config/welcome_wazuh.sh @@ -8,7 +8,7 @@ then echo "Set custom welcome styles" cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs - cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/optimize/bundles/light_theme.style.css - cp -f /tmp/custom_welcome/*svg /usr/share/kibana/optimize/bundles/ + cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css + cp -f /tmp/custom_welcome/*svg /usr/share/kibana/src/core/server/core_app/assets/ fi From 201e750f2cddce9afdf250fa7e11e8bb8cb8ea4c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 14:43:59 +0100 Subject: [PATCH 25/35] Bump xpack images --- xpack-compose.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/xpack-compose.yml b/xpack-compose.yml index ad4720ae..528fc299 100644 --- a/xpack-compose.yml +++ b/xpack-compose.yml @@ -7,8 +7,8 @@ services: context: wazuh-odfe/ args: - FILEBEAT_CHANNEL=filebeat - - FILEBEAT_VERSION=7.9.3 - image: wazuh/wazuh:4.0.4_7.9.3 + - FILEBEAT_VERSION=7.10.2 + image: wazuh/wazuh:4.1.0_7.10.2 hostname: wazuh-manager restart: always ports: @@ -42,7 +42,7 @@ services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2 hostname: elasticsearch restart: always ports: @@ -79,7 +79,7 @@ services: - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt elasticsearch2: - image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2 hostname: elasticsearch2 restart: always environment: @@ -114,7 +114,7 @@ services: - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt elasticsearch3: - image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2 hostname: elasticsearch3 restart: always environment: @@ -152,7 +152,7 @@ services: kibana: build: kibana/ - image: wazuh/wazuh-kibana:4.0.4_7.9.3 + image: wazuh/wazuh-kibana:4.1.0_7.10.2 hostname: kibana restart: always ports: From 6f60a87b46f7195e490c6de3c4961692ce755a1e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 14:44:09 +0100 Subject: [PATCH 26/35] Bump odfe images --- docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 12686ea3..35656427 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh: - image: wazuh/wazuh-odfe:4.0.4_1.11.0 + image: wazuh/wazuh-odfe:4.1.0 hostname: wazuh-manager restart: always ports: @@ -30,7 +30,7 @@ services: - filebeat_var:/var/lib/filebeat elasticsearch: - image: amazon/opendistro-for-elasticsearch:1.11.0 + image: amazon/opendistro-for-elasticsearch:1.12.0 hostname: elasticsearch restart: always ports: @@ -50,7 +50,7 @@ services: hard: 65536 kibana: - image: wazuh/wazuh-kibana-odfe:4.0.4_1.11.0 + image: wazuh/wazuh-kibana-odfe:4.1.0 hostname: kibana restart: always ports: From 771e4e3988c7ae9ef9fe80b3ef4a95e135081380 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 14:53:52 +0100 Subject: [PATCH 27/35] Update Goss tests --- .goss.kibana.yaml | 8 ++++---- .goss.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.goss.kibana.yaml b/.goss.kibana.yaml index b5c0ea6b..8a29ce3c 100644 --- a/.goss.kibana.yaml +++ b/.goss.kibana.yaml @@ -6,28 +6,28 @@ file: group: root filetype: file contains: [] - /usr/share/kibana/optimize/bundles/light_theme.style.css: + /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css: exists: true mode: "0664" owner: kibana group: root filetype: file contains: [] - /usr/share/kibana/optimize/bundles/wazuh_logo_circle.svg: + /usr/share/kibana/src/core/server/core_app/assets/wazuh_logo_circle.svg: exists: true mode: "0644" owner: kibana group: root filetype: file contains: [] - /usr/share/kibana/optimize/bundles/wazuh_wazuh_bg.svg: + /usr/share/kibana/src/core/server/core_app/assets/wazuh_wazuh_bg.svg: exists: true mode: "0644" owner: kibana group: root filetype: file contains: [] - /usr/share/kibana/optimize/wazuh/config/wazuh.yml: + /usr/share/kibana/data/wazuh/config/wazuh.yml: exists: true mode: "0644" owner: kibana diff --git a/.goss.yaml b/.goss.yaml index 1d84c367..7901f2cb 100644 --- a/.goss.yaml +++ b/.goss.yaml @@ -52,11 +52,11 @@ package: filebeat: installed: true versions: - - 7.9.1 + - 7.10.0 wazuh-manager: installed: true versions: - - 4.0.4 + - 4.1.0 port: tcp:1514: listening: true From fe3b9335c18001e2d2b76339c681182da048bb51 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 14:54:04 +0100 Subject: [PATCH 28/35] Update xpack compose --- xpack-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xpack-compose.yml b/xpack-compose.yml index 528fc299..465bc646 100644 --- a/xpack-compose.yml +++ b/xpack-compose.yml @@ -8,7 +8,7 @@ services: args: - FILEBEAT_CHANNEL=filebeat - FILEBEAT_VERSION=7.10.2 - image: wazuh/wazuh:4.1.0_7.10.2 + image: wazuh/wazuh:4.1.0 hostname: wazuh-manager restart: always ports: @@ -152,7 +152,7 @@ services: kibana: build: kibana/ - image: wazuh/wazuh-kibana:4.1.0_7.10.2 + image: wazuh/wazuh-kibana:4.1.0 hostname: kibana restart: always ports: From eb944445be0bc686bfd8adf9cd8cf25f34cdd95f Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 15:41:47 +0100 Subject: [PATCH 29/35] Update changelog --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ad21a86..2c5c4037 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Change Log All notable changes to this project will be documented in this file. +## Wazuh Docker v4.1.0 + +- Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410) +- Update ODFE compatibility to version 1.12.0 +- Add support for Elasticsearch (xpack) images once again (7.10.2) ([@xr09](https://github.com/xr09)) [#409](https://github.com/wazuh/wazuh-docker/pull/409) +- Re-enable entrypoint scripts ([@xr09](https://github.com/xr09)) [#435](https://github.com/wazuh/wazuh-docker/pull/435) +- Add Goss binary for healthchecks ([@xr09](https://github.com/xr09)) [$441](https://github.com/wazuh/wazuh-docker/pull/441) +- Update s6-overlay to latest version ## Wazuh Docker v4.0.4_1.11.0 From f019658c86783befaa41c295cae37636872245e4 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 15:51:45 +0100 Subject: [PATCH 30/35] Bump images on prod cluster --- production-cluster.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/production-cluster.yml b/production-cluster.yml index f6b30281..c214c6ae 100644 --- a/production-cluster.yml +++ b/production-cluster.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh-master: - image: wazuh/wazuh-odfe:4.0.4_1.11.0 + image: wazuh/wazuh-odfe:4.1.0 hostname: wazuh-master restart: always ports: @@ -38,7 +38,7 @@ services: - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf wazuh-worker: - image: wazuh/wazuh-odfe:4.0.4_1.11.0 + image: wazuh/wazuh-odfe:4.1.0 hostname: wazuh-worker restart: always environment: @@ -67,7 +67,7 @@ services: - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf elasticsearch: - image: amazon/opendistro-for-elasticsearch:1.11.0 + image: amazon/opendistro-for-elasticsearch:1.12.0 hostname: elasticsearch restart: always ports: @@ -90,7 +90,7 @@ services: - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml elasticsearch-2: - image: amazon/opendistro-for-elasticsearch:1.11.0 + image: amazon/opendistro-for-elasticsearch:1.12.0 hostname: elasticsearch-2 restart: always environment: @@ -111,7 +111,7 @@ services: - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml elasticsearch-3: - image: amazon/opendistro-for-elasticsearch:1.11.0 + image: amazon/opendistro-for-elasticsearch:1.12.0 hostname: elasticsearch-3 restart: always environment: @@ -132,7 +132,7 @@ services: - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml kibana: - image: wazuh/wazuh-kibana-odfe:4.0.4_1.11.0 + image: wazuh/wazuh-kibana-odfe:4.1.0 hostname: kibana restart: always ports: From 5673a9115ce89e00aaf192b5bf16e63839b7fee1 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 16:31:49 +0100 Subject: [PATCH 31/35] Fix changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c5c4037..0ced89db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Change Log All notable changes to this project will be documented in this file. ## Wazuh Docker v4.1.0 +### Added - Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410) - Update ODFE compatibility to version 1.12.0 From 41f23977250e77900342c652f1369859153b651d Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 16:39:44 +0100 Subject: [PATCH 32/35] Fix elastic version --- generate-elasticsearch-certs.yml | 2 +- kibana/Dockerfile | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/generate-elasticsearch-certs.yml b/generate-elasticsearch-certs.yml index f2e3b8cf..e777e881 100644 --- a/generate-elasticsearch-certs.yml +++ b/generate-elasticsearch-certs.yml @@ -3,7 +3,7 @@ version: '2.2' services: generator: container_name: generator - image: docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2 command: > bash -c ' if [[ ! -f config/certificates/bundle.zip ]]; then diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 69ad44fa..75de7a92 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,8 +1,8 @@ # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:7.9.3 +FROM docker.elastic.co/kibana/kibana:7.10.2 USER kibana -ARG ELASTIC_VERSION=7.9.3 -ARG WAZUH_VERSION=4.0.4 +ARG ELASTIC_VERSION=7.10.2 +ARG WAZUH_VERSION=4.1.0 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana From 68c41bd64cdc4ec251b7c665e57743f4548c27d1 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 17:40:19 +0100 Subject: [PATCH 33/35] Fix curl ssl check --- kibana/config/kibana_settings.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index b883b31b..f62054f1 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -74,6 +74,6 @@ curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "C sleep 5 # Do not ask user to help providing usage statistics to Elastic -curl -POST "$kibana_proto://127.0.0.1:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' +curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' echo "End settings" From 4eb80c83b01862f9bc75385046457b4992264593 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 17:45:05 +0100 Subject: [PATCH 34/35] Update kibana xpack paths --- kibana/Dockerfile | 3 +-- kibana/config/wazuh_app_config.sh | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 75de7a92..f1be86dd 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -45,14 +45,13 @@ ENV PATTERN="" \ WORKDIR / USER kibana -RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize COPY --chown=kibana:kibana config/entrypoint.sh ./entrypoint.sh RUN chmod 755 ./entrypoint.sh RUN printf "\nserver.defaultRoute: /app/wazuh\n" >> /usr/share/kibana/config/kibana.yml -COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml +COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ RUN chmod +x ./wazuh_app_config.sh diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh index c08980a5..fddf93b4 100644 --- a/kibana/config/wazuh_app_config.sh +++ b/kibana/config/wazuh_app_config.sh @@ -6,7 +6,7 @@ wazuh_port="${API_PORT:-55000}" api_username="${API_USERNAME:-wazuh-wui}" api_password="${API_PASSWORD:-wazuh-wui}" -kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" +kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml" declare -A CONFIG_MAP=( [pattern]=$PATTERN From 5da9c5dd1f1b5da968bbe4ab22b2bad4cc5ae2c5 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 17 Feb 2021 17:54:09 +0100 Subject: [PATCH 35/35] Add xpack-from-sources --- xpack-compose.yml | 6 -- xpack-from-sources.yml | 192 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 192 insertions(+), 6 deletions(-) create mode 100644 xpack-from-sources.yml diff --git a/xpack-compose.yml b/xpack-compose.yml index 465bc646..da4c2290 100644 --- a/xpack-compose.yml +++ b/xpack-compose.yml @@ -3,11 +3,6 @@ version: '3.7' services: wazuh: - build: - context: wazuh-odfe/ - args: - - FILEBEAT_CHANNEL=filebeat - - FILEBEAT_VERSION=7.10.2 image: wazuh/wazuh:4.1.0 hostname: wazuh-manager restart: always @@ -151,7 +146,6 @@ services: kibana: - build: kibana/ image: wazuh/wazuh-kibana:4.1.0 hostname: kibana restart: always diff --git a/xpack-from-sources.yml b/xpack-from-sources.yml new file mode 100644 index 00000000..465bc646 --- /dev/null +++ b/xpack-from-sources.yml @@ -0,0 +1,192 @@ +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) +version: '3.7' + +services: + wazuh: + build: + context: wazuh-odfe/ + args: + - FILEBEAT_CHANNEL=filebeat + - FILEBEAT_VERSION=7.10.2 + image: wazuh/wazuh:4.1.0 + hostname: wazuh-manager + restart: always + ports: + - "1514:1514" + - "1515:1515" + - "514:514/udp" + - "55000:55000" + environment: + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - ELASTIC_USERNAME=elastic + - ELASTIC_PASSWORD=SecretPassword + - FILEBEAT_SSL_VERIFICATION_MODE=none + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt + - SSL_CERTIFICATE=/etc/ssl/wazuh.crt + - SSL_KEY=/etc/ssl/wazuh.key + volumes: + - ossec_api_configuration:/var/ossec/api/configuration + - ossec_etc:/var/ossec/etc + - ossec_logs:/var/ossec/logs + - ossec_queue:/var/ossec/queue + - ossec_var_multigroups:/var/ossec/var/multigroups + - ossec_integrations:/var/ossec/integrations + - ossec_active_response:/var/ossec/active-response/bin + - ossec_agentless:/var/ossec/agentless + - ossec_wodles:/var/ossec/wodles + - filebeat_etc:/etc/filebeat + - filebeat_var:/var/lib/filebeat + - ./xpack/ca/ca.crt:/etc/ssl/ca.crt + - ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt + - ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key + + + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2 + hostname: elasticsearch + restart: always + ports: + - "9200:9200" + environment: + - cluster.name=wazuh-cluster + - node.name=elasticsearch + - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3 + - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3 + - ELASTIC_PASSWORD=SecretPassword + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + - xpack.license.self_generated.type=basic + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt + - ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key + - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt + + elasticsearch2: + image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2 + hostname: elasticsearch2 + restart: always + environment: + - cluster.name=wazuh-cluster + - node.name=elasticsearch2 + - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3 + - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3 + - ELASTIC_PASSWORD=SecretPassword + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + - xpack.license.self_generated.type=basic + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt + - ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key + - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt + + elasticsearch3: + image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2 + hostname: elasticsearch3 + restart: always + environment: + - cluster.name=wazuh-cluster + - node.name=elasticsearch3 + - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3 + - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3 + - ELASTIC_PASSWORD=SecretPassword + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + - xpack.license.self_generated.type=basic + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt + - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key + - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt + - ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key + - ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt + + + + kibana: + build: kibana/ + image: wazuh/wazuh-kibana:4.1.0 + hostname: kibana + restart: always + ports: + - 443:5601 + environment: + - SERVERNAME=localhost + - ELASTICSEARCH_USERNAME=elastic + - ELASTICSEARCH_PASSWORD=SecretPassword + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - ELASTICSEARCH_HOSTS=https://elasticsearch:9200 + - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt + - SERVER_SSL_ENABLED=true + - XPACK_SECURITY_ENABLED=true + - SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt + volumes: + - ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt + - ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key + - ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt + depends_on: + - elasticsearch + links: + - elasticsearch:elasticsearch + - wazuh:wazuh + +volumes: + ossec_api_configuration: + ossec_etc: + ossec_logs: + ossec_queue: + ossec_var_multigroups: + ossec_integrations: + ossec_active_response: + ossec_agentless: + ossec_wodles: + filebeat_etc: + filebeat_var: