Merge 4.8.0 into 4.8.1

CHANGELOG.md

@@ -11,6 +11,11 @@ All notable changes to this project will be documented in this file.
 
 - Update Wazuh to version [4.8.0](https://github.com/wazuh/wazuh/blob/v4.8.0/CHANGELOG.md#v480)
 
+## Wazuh Docker v4.7.3
+### Added
+
+- Update Wazuh to version [4.7.3](https://github.com/wazuh/wazuh/blob/v4.7.3/CHANGELOG.md#v473)
+
 ## Wazuh Docker v4.7.2
 ### Added
 

build-docker-images/wazuh-dashboard/Dockerfile

@@ -1,13 +1,13 @@
 # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-FROM ubuntu:jammy AS builder
+FROM amazonlinux:2023.3.20240219.0 AS builder
 
 ARG WAZUH_VERSION
 ARG WAZUH_TAG_REVISION
 ARG INSTALL_DIR=/usr/share/wazuh-dashboard
 ARG WAZUH_UI_REVISION
 
 # Update and install dependencies
-RUN apt-get update && apt install curl libcap2-bin xz-utils -y
+RUN yum install curl-minimal libcap xz tar openssl -y
 
 # Create Install dir
 RUN mkdir -p $INSTALL_DIR
@@ -42,7 +42,7 @@ RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chown -R 101:101 $INSTALL_DIR/data/
 # Add entrypoint
 # Add wazuh_app_config
 ################################################################################
-FROM ubuntu:jammy
+FROM amazonlinux:2023.3.20240219.0
 
 # Set environment variables
 ENV USER="wazuh-dashboard" \
@@ -80,6 +80,9 @@ ENV PATTERN="" \
     WAZUH_MONITORING_SHARDS="" \
     WAZUH_MONITORING_REPLICAS=""
 
+# Update and install dependencies
+RUN yum install shadow-utils -y
+
 # Create wazuh-dashboard user and group
 RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
 RUN useradd --system \

build-docker-images/wazuh-dashboard/config/dl_base.sh

@@ -1,5 +1,5 @@
 REPOSITORY="packages.wazuh.com/4.x"
-WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
+WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '["]tag_name["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
 MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
 MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
 MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)

build-docker-images/wazuh-dashboard/config/install_wazuh_app.sh

@@ -2,7 +2,7 @@
 WAZUH_APP=https://packages.wazuh.com/4.x/ui/dashboard/wazuh-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip
 WAZUH_CHECK_UPDATES=https://packages.wazuh.com/4.x/ui/dashboard/wazuhCheckUpdates-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip
 WAZUH_CORE=https://packages.wazuh.com/4.x/ui/dashboard/wazuhCore-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip
-WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
+WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '["]tag_name["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
 MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
 MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
 MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)

build-docker-images/wazuh-indexer/Dockerfile

@@ -1,10 +1,10 @@
 # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-FROM ubuntu:jammy AS builder
+FROM amazonlinux:2023.3.20240219.0 AS builder
 
 ARG WAZUH_VERSION
 ARG WAZUH_TAG_REVISION
 
-RUN apt-get update -y && apt-get install curl openssl xz-utils -y
+RUN yum install curl-minimal openssl xz tar findutils shadow-utils -y
 
 COPY config/opensearch.yml /
 
@@ -27,15 +27,16 @@ RUN bash config.sh
 #
 # Copy wazuh-indexer from stage 0
 # Add entrypoint
+
 ################################################################################
-FROM ubuntu:jammy
+FROM amazonlinux:2023.3.20240219.0
 
 ENV USER="wazuh-indexer" \
     GROUP="wazuh-indexer" \
     NAME="wazuh-indexer" \
     INSTALL_DIR="/usr/share/wazuh-indexer"
 
-RUN apt-get update -y && apt-get install curl -y
+RUN yum install curl-minimal shadow-utils findutils hostname -y
 
 RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
 
@@ -54,9 +55,7 @@ COPY config/entrypoint.sh /
 
 COPY config/securityadmin.sh /
 
-COPY config/ism-check.sh /
-
-RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh && chmod 700 /ism-check.sh
+RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
 
 RUN chown 1000:1000 /*.sh
 

build-docker-images/wazuh-indexer/config/config.sh

@@ -23,7 +23,7 @@ rm -rf ${INSTALLATION_DIR}/
 
 ## variables
 REPOSITORY="packages.wazuh.com/4.x"
-WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
+WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '["]tag_name["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
 MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
 MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
 MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)

build-docker-images/wazuh-indexer/config/entrypoint.sh

@@ -90,6 +90,4 @@ fi
 #  touch "/var/lib/wazuh-indexer/.flag"
 #fi
 
-nohup /ism-check.sh &
-
 run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"

build-docker-images/wazuh-manager/Dockerfile

@@ -1,5 +1,5 @@
 # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-FROM ubuntu:jammy
+FROM amazonlinux:2023.3.20240219.0
 
 RUN rm /bin/sh && ln -s /bin/bash /bin/sh
 
@@ -9,22 +9,24 @@ ARG FILEBEAT_TEMPLATE_BRANCH
 ARG FILEBEAT_CHANNEL=filebeat-oss
 ARG FILEBEAT_VERSION=7.10.2
 ARG WAZUH_FILEBEAT_MODULE
+ARG S6_VERSION="v2.2.0.3"
 
-RUN apt-get update && apt install curl apt-transport-https lsb-release xz-utils gnupg -y
+RUN yum install curl-minimal xz gnupg tar gzip openssl findutils procps -y &&\
+    yum clean all
 
 COPY config/check_repository.sh /
+COPY config/filebeat_module.sh /
+COPY config/permanent_data.env config/permanent_data.sh /
+
 RUN chmod 775 /check_repository.sh
 RUN source /check_repository.sh
 
-RUN apt-get update && \
-    apt-get install wazuh-manager=${WAZUH_VERSION}-${WAZUH_TAG_REVISION}
-
-COPY config/filebeat_module.sh /
-RUN chmod 775 /filebeat_module.sh
-RUN source /filebeat_module.sh
-
-ARG S6_VERSION="v2.2.0.3"
-RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
+RUN yum install wazuh-manager-${WAZUH_VERSION}-${WAZUH_TAG_REVISION} -y && \
+    yum clean all && \
+    chmod 775 /filebeat_module.sh && \
+    source /filebeat_module.sh && \
+    rm /filebeat_module.sh && \
+    curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
     -o /tmp/s6-overlay-amd64.tar.gz && \
     tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
     tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
@@ -43,11 +45,6 @@ RUN chmod go-w /etc/filebeat/wazuh-template.json
 # Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 
-COPY config/permanent_data.env config/permanent_data.sh /
-RUN chmod 755 /permanent_data.sh && \
-    sync && /permanent_data.sh && \
-    sync && rm /permanent_data.sh
-
 #Make mount directories for keep permissions
 
 RUN mkdir -p /var/ossec/var/multigroups && \
@@ -58,7 +55,10 @@ RUN mkdir -p /var/ossec/var/multigroups && \
     chmod 770 /var/ossec/agentless && \
     mkdir -p /var/ossec/active-response/bin && \
     chown root:wazuh /var/ossec/active-response/bin && \
-    chmod 770 /var/ossec/active-response/bin
+    chmod 770 /var/ossec/active-response/bin && \
+    chmod 755 /permanent_data.sh && \
+    sync && /permanent_data.sh && \
+    sync && rm /permanent_data.sh
 
 # Services ports
 EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp

build-docker-images/wazuh-manager/config/check_repository.sh

@@ -1,7 +1,7 @@
 ## variables
-GPG_SIGN='[arch=amd64 signed-by=/etc/apt/keyrings/wazuh.gpg]'
 APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
-REPOSITORY="deb ${GPG_SIGN} https://packages.wazuh.com/4.x/apt/ stable main"
+GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
+REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
 WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
 MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
 MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
@@ -13,18 +13,18 @@ MINOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f3)
 ## check version to use the correct repository
 if [ "$MAJOR_BUILD" -gt "$MAJOR_CURRENT" ]; then
   APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
-  REPOSITORY="deb ${GPG_SIGN} https://packages-dev.wazuh.com/pre-release/apt/ unstable main"
+  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
 elif [ "$MAJOR_BUILD" -eq "$MAJOR_CURRENT" ]; then
   if [ "$MID_BUILD" -gt "$MID_CURRENT" ]; then
     APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
-    REPOSITORY="deb ${GPG_SIGN} https://packages-dev.wazuh.com/pre-release/apt/ unstable main"
+    REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
   elif [ "$MID_BUILD" -eq "$MID_CURRENT" ]; then
     if [ "$MINOR_BUILD" -gt "$MINOR_CURRENT" ]; then
       APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
-      REPOSITORY="deb ${GPG_SIGN} https://packages-dev.wazuh.com/pre-release/apt/ unstable main"
+      REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
     fi
   fi
 fi
 
-curl ${APT_KEY} | gpg --dearmor -o /etc/apt/keyrings/wazuh.gpg
-echo ${REPOSITORY} | tee -a /etc/apt/sources.list.d/wazuh.list
+rpm --import "${APT_KEY}"
+echo -e "${REPOSITORY}" | tee /etc/yum.repos.d/wazuh.repo

build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init

@@ -184,8 +184,9 @@ set_rids_owner() {
 ##############################################################################
 
 set_correct_permOwner() {
-  find / -group 997 -exec chown :101 {} +;
-  find / -user 999 -exec chown 101 {} +;
+  find / -group 997 -exec chown :999 {} +;
+  find / -group 101 -exec chown :999 {} +;
+  find / -user 101 -exec chown 999 {} +;
 }
 
 ##############################################################################

build-docker-images/wazuh-manager/config/filebeat.yml

@@ -9,6 +9,8 @@ filebeat.modules:
 
 setup.template.json.enabled: true
 setup.template.overwrite: true
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
 setup.ilm.enabled: false
 output.elasticsearch:
   hosts: ['https://wazuh.indexer:9200']

build-docker-images/wazuh-manager/config/filebeat_module.sh

@@ -1,5 +1,5 @@
 REPOSITORY="packages.wazuh.com/4.x"
-WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
+WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '["]tag_name["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
 MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
 MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
 MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)
@@ -20,6 +20,6 @@ elif [ "$MAJOR_BUILD" -eq "$MAJOR_CURRENT" ]; then
   fi
 fi
 
-curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb &&\
-dpkg -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && \
+curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
+yum install -y ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \
 curl -s https://${REPOSITORY}/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module

build-docker-images/wazuh-manager/config/permanent_data.env

@@ -16,13 +16,16 @@ export PERMANENT_DATA
 # Files mounted in a volume that should not be permanent
 i=0
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
@@ -53,6 +56,27 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/__init__.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws_tools.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/wazuh_integration.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/__init__.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/aws_bucket.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/cloudtrail.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/config.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/guardduty.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/load_balancers.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/server_access.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/umbrella.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/vpcflow.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/waf.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/services/__init__.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/services/aws_service.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/services/cloudwatchlogs.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/services/inspector.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/subscribers/__init__.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/subscribers/s3_log_handler.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/subscribers/sqs_message_processor.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/subscribers/sqs_queue.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"

multi-node/docker-compose.yml

@@ -89,7 +89,6 @@ services:
     environment:
       - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
       - "bootstrap.memory_lock=true"
-      - 'INDEXER_PASSWORD=SecretPassword'
     ulimits:
       memlock:
         soft: -1

single-node/docker-compose.yml

@@ -52,8 +52,7 @@ services:
     ports:
       - "9200:9200"
     environment:
-      - "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m"
-      - 'INDEXER_PASSWORD=SecretPassword'
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
     ulimits:
       memlock:
         soft: -1