diff --git a/.github/workflows/wazuh-build-push-docker-action.yml b/.github/workflows/wazuh-build-push-docker-action.yml index 74c233c965..74be8e29e1 100644 --- a/.github/workflows/wazuh-build-push-docker-action.yml +++ b/.github/workflows/wazuh-build-push-docker-action.yml @@ -55,63 +55,63 @@ jobs: name: Run build and push manager image runs-on: ubuntu-latest steps: - - name: Step 01 - Download wazuh-kibana-app - uses: actions/checkout@v2 - with: + - name: Step 01 - Download wazuh-kibana-app + uses: actions/checkout@v2 + with: path: wazuh-kibana-app - - name: Step 02 - Login to quay.io - run: | - docker login -u=${{ secrets.QUAYIO_USERNAME }} -p=${{ secrets.QUAYIO_TOKEN }} quay.io - - name: Step 03 - Build image - run: | - cd ${{ github.workspace }}/wazuh-kibana-app/test/cypress/images/wazuh_manager_filebeat_sources_cmake - docker build -t quay.io/wazuh/wazuh-manager-image:${{ github.event.inputs.wazuh-manager-version }}-${{ github.event.inputs.elastic-manager-version }} \ - --build-arg WAZUH_VERSION=${{ github.event.inputs.wazuh-manager-version }} \ - --build-arg FILEBEAT_VERSION=${{ github.event.inputs.elastic-manager-version }} \ - --build-arg FILEBEAT_WAZUH_TEMPLATE_URL=https://raw.githubusercontent.com/wazuh/wazuh/4.0/extensions/elasticsearch/7.x/wazuh-template.json \ - --build-arg FILEBEAT_WAZUH_MODULE_URL=https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz . - - name: Step 04 - Push image to quay.io - run: | - docker push quay.io/wazuh/wazuh-manager-image:${{ github.event.inputs.wazuh-manager-version }}-${{ github.event.inputs.elastic-manager-version }} + - name: Step 02 - Login to quay.io + run: | + docker login -u=${{ secrets.QUAYIO_USERNAME }} -p=${{ secrets.QUAYIO_TOKEN }} quay.io + - name: Step 03 - Build image + run: | + cd ${{ github.workspace }}/wazuh-kibana-app/test/cypress/images/wazuh_manager_filebeat_sources_cmake + docker build -t quay.io/wazuh/wazuh-manager-image:${{ github.event.inputs.wazuh-manager-version }}-${{ github.event.inputs.elastic-manager-version }} \ + --build-arg WAZUH_VERSION=${{ github.event.inputs.wazuh-manager-version }} \ + --build-arg FILEBEAT_VERSION=${{ github.event.inputs.elastic-manager-version }} \ + --build-arg FILEBEAT_WAZUH_TEMPLATE_URL=https://raw.githubusercontent.com/wazuh/wazuh/4.0/extensions/elasticsearch/7.x/wazuh-template.json \ + --build-arg FILEBEAT_WAZUH_MODULE_URL=https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz . + - name: Step 04 - Push image to quay.io + run: | + docker push quay.io/wazuh/wazuh-manager-image:${{ github.event.inputs.wazuh-manager-version }}-${{ github.event.inputs.elastic-manager-version }} job-build-agent-image: if: ${{ github.event.inputs.build-agent-image == 'true' }} name: Run build and push agent image runs-on: ubuntu-latest steps: - - name: Step 01 - Download wazuh-kibana-app - uses: actions/checkout@v2 - with: + - name: Step 01 - Download wazuh-kibana-app + uses: actions/checkout@v2 + with: path: wazuh-kibana-app - - name: Step 02 - Login to quay.io - run: | - docker login -u=${{ secrets.QUAYIO_USERNAME }} -p=${{ secrets.QUAYIO_TOKEN }} quay.io - - name: Step 03 - Build image - run: | - cd ${{ github.workspace }}/wazuh-kibana-app/test/cypress/images/wazuh_agent_ubuntu_sources_cmake - docker build -t quay.io/wazuh/wazuh-agent-image:${{ github.event.inputs.wazuh-agent-version }} \ - --build-arg WAZUH_VERSION=${{ github.event.inputs.wazuh-agent-version }} . - - name: Step 04 - Push image to quay.io - run: | - docker push quay.io/wazuh/wazuh-agent-image:${{ github.event.inputs.wazuh-agent-version }} + - name: Step 02 - Login to quay.io + run: | + docker login -u=${{ secrets.QUAYIO_USERNAME }} -p=${{ secrets.QUAYIO_TOKEN }} quay.io + - name: Step 03 - Build image + run: | + cd ${{ github.workspace }}/wazuh-kibana-app/test/cypress/images/wazuh_agent_ubuntu_sources_cmake + docker build -t quay.io/wazuh/wazuh-agent-image:${{ github.event.inputs.wazuh-agent-version }} \ + --build-arg WAZUH_VERSION=${{ github.event.inputs.wazuh-agent-version }} . + - name: Step 04 - Push image to quay.io + run: | + docker push quay.io/wazuh/wazuh-agent-image:${{ github.event.inputs.wazuh-agent-version }} job-build-cypress-image: if: ${{ github.event.inputs.build-cypress-image == 'true' }} name: Run build and push cypress image runs-on: ubuntu-latest steps: - - name: Step 01 - Download wazuh-kibana-app - uses: actions/checkout@v2 - with: + - name: Step 01 - Download wazuh-kibana-app + uses: actions/checkout@v2 + with: path: wazuh-kibana-app - - name: Step 02 - Login to quay.io - run: | - docker login -u=${{ secrets.QUAYIO_USERNAME }} -p=${{ secrets.QUAYIO_TOKEN }} quay.io - - name: Step 03 - Build image - run: | - cd ${{ github.workspace }}/wazuh-kibana-app/test/cypress/images/ubuntu-cypress - docker build -t quay.io/wazuh/wazuh-ubuntu-cypress:${{ github.event.inputs.image-cypress-version }} \ - --build-arg UBUNTU_CYPRESS_BRANCH=${{ github.event.inputs.ubuntu-cypress-branch }} . - - name: Step 04 - Push image to quay.io - run: | - docker push quay.io/wazuh/wazuh-ubuntu-cypress:${{ github.event.inputs.image-cypress-version }} + - name: Step 02 - Login to quay.io + run: | + docker login -u=${{ secrets.QUAYIO_USERNAME }} -p=${{ secrets.QUAYIO_TOKEN }} quay.io + - name: Step 03 - Build image + run: | + cd ${{ github.workspace }}/wazuh-kibana-app/test/cypress/images/ubuntu-cypress + docker build -t quay.io/wazuh/wazuh-ubuntu-cypress:${{ github.event.inputs.image-cypress-version }} \ + --build-arg UBUNTU_CYPRESS_BRANCH=${{ github.event.inputs.ubuntu-cypress-branch }} . + - name: Step 04 - Push image to quay.io + run: | + docker push quay.io/wazuh/wazuh-ubuntu-cypress:${{ github.event.inputs.image-cypress-version }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 390eb6a960..b39b4920d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,7 +38,21 @@ All notable changes to the Wazuh app project will be documented in this file. - Removed the application menu in the IT Hygiene application [#6176](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6176) - Removed the implicit filter of WQL language of the search bar UI [#6174](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6174) -## Wazuh v4.7.1 - OpenSearch Dashboards 2.8.0 - Revision 01 +## Wazuh v4.7.2 - OpenSearch Dashboards 2.8.0 - Revision 00 + +### Added + +- Support for Wazuh 4.7.2 +- Added contextual information in the register agent commands [#6208](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6208) +- Added host name and board serial information to Agents > Inventory data [#6191](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6191) + +### Fixed + +- Fixed Agents preview page load when there are no registered agents [#6185](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6185) +- Fixed the endpoint to get Wazuh server auth configuration [#6206](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6206) [#6213](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6213) +- Fixed error navigating back to agent in some scenarios [#6224](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6224) + +## Wazuh v4.7.1 - OpenSearch Dashboards 2.8.0 - Revision 03 ### Added @@ -49,6 +63,7 @@ All notable changes to the Wazuh app project will be documented in this file. - Fixed problem when using non latin characters in the username [#6076](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6076) - Fixed UI crash on retrieving log collection configuration for macos agent. [#6104](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6104) - Fixed incorrect validation of the agent name on the Deploy new agent window [#6105](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6105) +- Fixed missing columns in the agents table of Groups [#6184](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6184) ## Wazuh v4.7.0 - OpenSearch Dashboards 2.8.0 - Revision 04 diff --git a/docker/kbn-dev/dev.yml b/docker/kbn-dev/dev.yml index f01c481224..c6abeb041b 100755 --- a/docker/kbn-dev/dev.yml +++ b/docker/kbn-dev/dev.yml @@ -1,16 +1,16 @@ -version: "2.2" +version: '2.2' x-logging: &logging logging: driver: loki options: - loki-url: "http://host.docker.internal:3100/loki/api/v1/push" + loki-url: 'http://host.docker.internal:3100/loki/api/v1/push' services: exporter: image: quay.io/prometheuscommunity/elasticsearch-exporter:latest <<: *logging - hostname: "exporter-kbn-${ES_VERSION}" + hostname: 'exporter-kbn-${ES_VERSION}' networks: - es-dev - mon @@ -21,7 +21,7 @@ services: imposter: image: outofcoffee/imposter - hostname: "imposter-kbn-${ES_VERSION}" + hostname: 'imposter-kbn-${ES_VERSION}' networks: - es-dev - mon @@ -32,7 +32,7 @@ services: volumes: - ../imposter:/opt/imposter/config ports: - - ${IMPOSTER_PORT}:8080 + - ${IMPOSTER_PORT}:8080 filebeat: depends_on: @@ -40,7 +40,7 @@ services: condition: service_healthy image: elastic/filebeat:7.10.2 hostname: filebeat - user: "0:0" + user: '0:0' networks: - es-dev - mon @@ -54,7 +54,7 @@ services: echo admin | filebeat keystore add username --stdin --force echo ${ELASTIC_PASSWORD}| filebeat keystore add password --stdin --force curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json - curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module # copy filebeat to preserve correct permissions without # affecting host filesystem cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml @@ -69,7 +69,7 @@ services: setup: hostname: setup - user: "0" + user: '0' image: docker.elastic.co/elasticsearch/elasticsearch:${ES_VERSION} volumes: - certs:/usr/share/elasticsearch/config/certs @@ -120,7 +120,7 @@ services: echo "All done!"; ' healthcheck: - test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] + test: ['CMD-SHELL', '[ -f config/certs/es01/es01.crt ]'] interval: 1s timeout: 5s retries: 120 @@ -140,7 +140,7 @@ services: - certs:/usr/share/elasticsearch/config/certs - esdata01:/usr/share/elasticsearch/data environment: - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - 'ES_JAVA_OPTS=-Xms512m -Xmx512m' - node.name=es01 - discovery.type=single-node - discovery.seed_hosts=es01 @@ -166,7 +166,7 @@ services: healthcheck: test: [ - "CMD-SHELL", + 'CMD-SHELL', "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", ] interval: 10s @@ -186,7 +186,7 @@ services: - mon <<: *logging volumes: - - "${SRC}:/home/node/kbn/plugins/wazuh" + - '${SRC}:/home/node/kbn/plugins/wazuh' - certs:/home/node/kbn/config/certs - kibana_cache:/home/node/.cache - ./config/kibana/kibana.yml:/home/node/kbn/config/kibana.yml @@ -198,7 +198,7 @@ services: # Kibana configuration is in the mounted config file, as the entrypoint # does not generate the config file from the envirtonment - LOGS=/proc/1/fd/1 - entrypoint: ["tail", "-f", "/dev/null"] + entrypoint: ['tail', '-f', '/dev/null'] healthcheck: test: sh /home/node/setup_permissions.sh es01 interval: 5s diff --git a/docker/osd-dev/config/1.x/osd/wazuh.yml b/docker/osd-dev/config/1.x/osd/wazuh.yml index 76c3a973ab..3f3bc90bbb 100755 --- a/docker/osd-dev/config/1.x/osd/wazuh.yml +++ b/docker/osd-dev/config/1.x/osd/wazuh.yml @@ -1,18 +1,18 @@ hosts: - manager: - url: "https://wazuh.manager" + url: 'https://wazuh.manager' port: 55000 username: wazuh-wui password: MyS3cr37P450r.*- run_as: false - imposter: - url: "http://imposter" + url: 'http://imposter' port: 8080 username: wazuh-wui password: MyS3cr37P450r.*- run_as: false - imposter-cli: - url: "http://" + url: 'http://' port: 8080 username: wazuh-wui password: MyS3cr37P450r.*- diff --git a/docker/osd-dev/config/2.x/osd/wazuh.yml b/docker/osd-dev/config/2.x/osd/wazuh.yml index 76c3a973ab..3f3bc90bbb 100755 --- a/docker/osd-dev/config/2.x/osd/wazuh.yml +++ b/docker/osd-dev/config/2.x/osd/wazuh.yml @@ -1,18 +1,18 @@ hosts: - manager: - url: "https://wazuh.manager" + url: 'https://wazuh.manager' port: 55000 username: wazuh-wui password: MyS3cr37P450r.*- run_as: false - imposter: - url: "http://imposter" + url: 'http://imposter' port: 8080 username: wazuh-wui password: MyS3cr37P450r.*- run_as: false - imposter-cli: - url: "http://" + url: 'http://' port: 8080 username: wazuh-wui password: MyS3cr37P450r.*- diff --git a/docker/osd-dev/config/wazuh_cluster/wazuh_manager.conf b/docker/osd-dev/config/wazuh_cluster/wazuh_manager.conf new file mode 100755 index 0000000000..aff1af9d6c --- /dev/null +++ b/docker/osd-dev/config/wazuh_cluster/wazuh_manager.conf @@ -0,0 +1,353 @@ + + + yes + yes + no + no + no + smtp.example.wazuh.com + wazuh@example.wazuh.com + recipient@example.wazuh.com + 12 + alerts.log + 10m + 0 + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + etc/rootcheck/rootkit_files.txt + etc/rootcheck/rootkit_trojans.txt + + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + 10 + + + + + yes + yes + 12h + yes + + + + no + 5m + 6h + yes + + + + no + trusty + xenial + bionic + focal + 1h + + + + + no + stretch + buster + bullseye + 1h + + + + + no + 5 + 6 + 7 + 8 + 1h + + + + + no + amazon-linux + amazon-linux-2 + 1h + + + + + no + 1h + + + + + yes + 1h + + + + + yes + 2010 + 1h + + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + .log$|.swp$ + + + /etc/ssl/private.key + + yes + yes + yes + yes + + + 10 + + + 100 + + + + yes + 5m + 1h + 10 + + + + + + 127.0.0.1 + ^localhost.localdomain$ + 10.0.0.106 + + + + disable-account + disable-account + yes + + + + restart-wazuh + restart-wazuh + + + + firewall-drop + firewall-drop + yes + + + + host-deny + host-deny + yes + + + + route-null + route-null + yes + + + + win_route-null + route-null.exe + yes + + + + netsh + netsh.exe + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + + yes + 1 + 64 + 15m + + + + + no + 1515 + no + yes + no + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + etc/sslmanager.cert + etc/sslmanager.key + no + + + + wazuh + node01 + master + + 1516 + 0.0.0.0 + + NODE_IP + + no + yes + + + + + + + syslog + /var/ossec/logs/active-responses.log + + + diff --git a/docker/osd-dev/dev.sh b/docker/osd-dev/dev.sh index 19558e9518..6de5984748 100755 --- a/docker/osd-dev/dev.sh +++ b/docker/osd-dev/dev.sh @@ -26,13 +26,20 @@ osd_versions=( '2.8.0' '2.9.0' '2.10.0' + '4.8.0' '4.6.0' '4.7.0' ) +wzs_version=( + '4.7.0' + '4.7.1' + '4.7.2' +) + usage() { echo - echo "./dev.sh os_version osd_version /wazuh_app_src action [saml]" + echo "./dev.sh os_version osd_version /wazuh_app_src action [saml/server] [server_version]" echo echo "where" echo " os_version is one of " ${os_versions[*]} @@ -40,6 +47,7 @@ usage() { echo " wazuh_app_src is the path to the wazuh application source code" echo " action is one of up | down | stop" echo " saml to deploy a saml enabled environment" + echo " server to deploy a real server enabled environment" exit -1 } @@ -100,6 +108,16 @@ if [[ "$5" =~ "saml" ]]; then export SEC_CONFIG_FILE=./config/${OSD_MAJOR}/os/config-saml.yml fi +if [[ "$5" =~ "server" ]]; then + profile="server" + if [[ ! " ${wzs_version[*]} " =~ " ${6} " ]]; then + echo "Wazuh server version ${6} not found in ${wzs_version[*]}" + echo + exit -1 + fi + export WAZUH_STACK="${6}" +fi + export SEC_CONFIG_PATH=/usr/share/opensearch/plugins/opensearch-security/securityconfig if [[ "$OSD_MAJOR" == "2.x" ]]; then export SEC_CONFIG_PATH=/usr/share/opensearch/config/opensearch-security @@ -109,6 +127,27 @@ case "$4" in up) /bin/bash ../scripts/create_docker_networks.sh docker compose --profile $profile -f dev.yml up -Vd + + # Display a command to deploy an agent when using the real server + if [[ "$5" =~ "server" ]]; then + echo + echo "**************WARNING**************" + echo "The agent version must be a published one. This uses only released versions." + echo "If you need to change de version, edit the command as you see fit." + echo "***********************************" + echo "1. (Optional) Enroll an agent (Ubuntu 20.04):" + echo "docker run --name ${COMPOSE_PROJECT_NAME}-agent-\$(date +%s) --network os-dev-${OS_VERSION} --label com.docker.compose.project=${COMPOSE_PROJECT_NAME} --env WAZUH_AGENT_VERSION=${WAZUH_STACK} -d ubuntu:20.04 bash -c '" + echo " apt update -y" + echo " apt install -y curl lsb-release" + echo " curl -so \wazuh-agent-\${WAZUH_AGENT_VERSION}.deb \\" + echo " https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_\${WAZUH_AGENT_VERSION}-1_amd64.deb \\" + echo " && WAZUH_MANAGER='wazuh.manager' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-\${WAZUH_AGENT_VERSION}.deb" + echo + echo " /etc/init.d/wazuh-agent start" + echo " tail -f /var/ossec/logs/ossec.log" + echo "'" + echo + fi ;; down) docker compose --profile $profile -f dev.yml down -v --remove-orphans diff --git a/docker/osd-dev/dev.yml b/docker/osd-dev/dev.yml index 04a7c00266..11f37f04af 100755 --- a/docker/osd-dev/dev.yml +++ b/docker/osd-dev/dev.yml @@ -9,9 +9,12 @@ version: '2.2' services: exporter: image: quay.io/prometheuscommunity/elasticsearch-exporter:latest + # <<: *logging + hostname: exporter-osd-${OS_VERSION} profiles: + - 'server' - 'saml' - 'standard' networks: @@ -24,6 +27,7 @@ services: imposter: image: outofcoffee/imposter + # <<: *logging hostname: imposter-osd-${OS_VERSION} networks: @@ -37,8 +41,10 @@ services: generator: image: cfssl/cfssl + # <<: *logging profiles: + - 'server' - 'saml' - 'standard' volumes: @@ -128,8 +134,10 @@ services: condition: service_completed_successfully required: false image: opensearchproject/opensearch:${OS_VERSION} + # <<: *logging profiles: + - 'server' - 'saml' - 'standard' environment: @@ -157,6 +165,9 @@ services: - os_logs:/var/log/os1 - os_data:/var/lib/os1 + ports: + - 9200:9200 + - 9300:9300 networks: - os-dev - mon @@ -183,6 +194,7 @@ services: networks: - os-dev - mon + # <<: *logging # restart: always entrypoint: @@ -193,7 +205,7 @@ services: echo admin | filebeat keystore add username --stdin --force echo ${PASSWORD}| filebeat keystore add password --stdin --force curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json - curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module # copy filebeat to preserve correct permissions without # affecting host filesystem cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml @@ -212,6 +224,7 @@ services: condition: service_healthy image: quay.io/wazuh/osd-dev:${OSD_VERSION} profiles: + - 'server' - 'saml' - 'standard' hostname: osd @@ -220,6 +233,7 @@ services: - devel - mon user: '1000:1000' + # <<: *logging ports: - ${OSD_PORT}:5601 @@ -274,6 +288,7 @@ services: profiles: - 'saml' hostname: idp + # <<: *logging networks: - os-dev @@ -303,6 +318,7 @@ services: profiles: - 'saml' hostname: idpsetup + # <<: *logging networks: - os-dev @@ -317,6 +333,37 @@ services: bash /enable_saml.sh exit 0 ' + wazuh.manager: + depends_on: + os1: + condition: service_healthy + image: wazuh/wazuh-manager:${WAZUH_STACK} + profiles: + - 'server' + hostname: wazuh.manager + # <<: *logging + networks: + - os-dev + - mon + environment: + - INDEXER_URL=https://os1:9200 + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=admin + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/wazuh/ca.pem + - SSL_CERTIFICATE=/etc/ssl/wazuh/filebeat.pem + - SSL_KEY=/etc/ssl/wazuh/filebeat.key + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - wm_certs:/etc/ssl/wazuh + - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf + ports: + - '514:514' + - '1514:1514' + - '1515:1515' + - '1516:1516' + - '55000:55000' networks: os-dev: diff --git a/docker/wazuh-4.2-es/pre.yml b/docker/wazuh-4.2-es/pre.yml index 273e304c95..26a2e7a6bb 100755 --- a/docker/wazuh-4.2-es/pre.yml +++ b/docker/wazuh-4.2-es/pre.yml @@ -1,16 +1,16 @@ -version: "2.2" +version: '2.2' x-logging: &logging logging: driver: loki options: - loki-url: "http://host.docker.internal:3100/loki/api/v1/push" + loki-url: 'http://host.docker.internal:3100/loki/api/v1/push' services: exporter: image: quay.io/prometheuscommunity/elasticsearch-exporter:latest <<: *logging - hostname: "exporter-kbn-${ES_VERSION}" + hostname: 'exporter-kbn-${ES_VERSION}' networks: - es-pre - mon @@ -21,7 +21,7 @@ services: imposter: image: outofcoffee/imposter - hostname: "imposter-kbn-${ES_VERSION}" + hostname: 'imposter-kbn-${ES_VERSION}' networks: - es-pre - mon @@ -38,7 +38,7 @@ services: condition: service_healthy image: elastic/filebeat:7.10.2 hostname: filebeat - user: "0:0" + user: '0:0' networks: - es-pre <<: *logging @@ -51,7 +51,7 @@ services: echo admin | filebeat keystore add username --stdin --force echo ${ELASTIC_PASSWORD}| filebeat keystore add password --stdin --force curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json - curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module # copy filebeat to preserve correct permissions without # affecting host filesystem cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml @@ -72,7 +72,7 @@ services: - certs:/usr/share/elasticsearch/config/certs - ./config/wazuh_indexer_ssl_certs/:/tmp/certs - ./config/setup_permissions.sh:/tmp/setup_permissions.sh - user: "0" + user: '0' command: > bash -c ' if [ x${ELASTIC_PASSWORD} == x ]; then @@ -134,7 +134,7 @@ services: echo "All done!"; ' healthcheck: - test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] + test: ['CMD-SHELL', '[ -f config/certs/es01/es01.crt ]'] interval: 1s timeout: 5s retries: 120 @@ -152,7 +152,7 @@ services: - certs:/usr/share/elasticsearch/config/certs - esdata01:/usr/share/elasticsearch/data environment: - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - 'ES_JAVA_OPTS=-Xms512m -Xmx512m' - node.name=es01 - cluster.name=${CLUSTER_NAME} # - cluster.initial_master_nodes=es01,es02,es03 @@ -180,7 +180,7 @@ services: healthcheck: test: [ - "CMD-SHELL", + 'CMD-SHELL', "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", ] interval: 10s @@ -303,7 +303,7 @@ services: healthcheck: test: [ - "CMD-SHELL", + 'CMD-SHELL', "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", ] interval: 10s @@ -312,7 +312,7 @@ services: networks: es-pre: - name: "es-pre-${ES_VERSION}" + name: 'es-pre-${ES_VERSION}' driver: bridge mon: external: true diff --git a/docker/wazuh-4.3-wz/pre.yml b/docker/wazuh-4.3-wz/pre.yml index b203c39355..4757912bb6 100755 --- a/docker/wazuh-4.3-wz/pre.yml +++ b/docker/wazuh-4.3-wz/pre.yml @@ -5,13 +5,13 @@ x-logging: &logging logging: driver: loki options: - loki-url: "http://host.docker.internal:3100/loki/api/v1/push" + loki-url: 'http://host.docker.internal:3100/loki/api/v1/push' services: exporter: image: quay.io/prometheuscommunity/elasticsearch-exporter:latest <<: *logging - hostname: "exporter-kbn-${WAZUH_STACK}" + hostname: 'exporter-kbn-${WAZUH_STACK}' networks: - wzd-pre - mon @@ -22,7 +22,7 @@ services: imposter: image: outofcoffee/imposter - hostname: "imposter-kbn-${WAZUH_STACK}" + hostname: 'imposter-kbn-${WAZUH_STACK}' networks: - wzd-pre - mon @@ -42,64 +42,64 @@ services: - ./config/certs:/conf entrypoint: /bin/bash command: > - -c ' - export certs=/tmp/certs - mkdir $$certs - cd $$certs + -c ' + export certs=/tmp/certs + mkdir $$certs + cd $$certs + + echo "Generating CA" + cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + + echo "Generating servers certificates" + for i in wazuh.indexer wazuh.dashboard wazuh.manager; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Generating clients certificates" + for i in admin filebeat; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=client - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done - echo "Generating CA" - cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + echo "Setting up permissions" - echo "Generating servers certificates" - for i in wazuh.indexer wazuh.dashboard wazuh.manager; do - echo "Generating cert for $$i" - cat /conf/host.json | \ - sed "s/HOST/$$i/g" | \ - cfssl gencert \ - -ca $$certs/ca.pem \ - -ca-key $$certs/ca-key.pem \ - -config /conf/cfssl.json \ - -profile=server - | \ - cfssljson -bare $$i - openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key - done - - echo "Generating clients certificates" - for i in admin filebeat; do - echo "Generating cert for $$i" - cat /conf/host.json | \ - sed "s/HOST/$$i/g" | \ - cfssl gencert \ - -ca $$certs/ca.pem \ - -ca-key $$certs/ca-key.pem \ - -config /conf/cfssl.json \ - -profile=client - | \ - cfssljson -bare $$i - openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key - done - - echo "Setting up permissions" - - rm /certs/wi/* /certs/wd/* /certs/wm/* - - mv $$certs/wazuh.indexer* /certs/wi - mv $$certs/admin* /certs/wi - mv /certs/wi/admin.key /certs/wi/admin-key.pem - cp $$certs/*ca* /certs/wi - - mv $$certs/wazuh.dashboard* /certs/wd - cp $$certs/*ca* /certs/wd - - mv $$certs/*.* /certs/wm - - chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* - chown -R 1000:1000 /certs/* - ls -alR /certs/ - - sleep 30 - ' + rm /certs/wi/* /certs/wd/* /certs/wm/* + + mv $$certs/wazuh.indexer* /certs/wi + mv $$certs/admin* /certs/wi + mv /certs/wi/admin.key /certs/wi/admin-key.pem + cp $$certs/*ca* /certs/wi + + mv $$certs/wazuh.dashboard* /certs/wd + cp $$certs/*ca* /certs/wd + + mv $$certs/*.* /certs/wm + + chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* + chown -R 1000:1000 /certs/* + ls -alR /certs/ + + sleep 30 + ' healthcheck: - test: ["CMD-SHELL", "[ -r /certs/wm/wazuh.manager.pem ]"] + test: ['CMD-SHELL', '[ -r /certs/wm/wazuh.manager.pem ]'] interval: 2s timeout: 5s retries: 10 @@ -110,7 +110,7 @@ services: condition: service_healthy image: elastic/filebeat:7.10.2 hostname: filebeat - user: "0:0" + user: '0:0' networks: - wzd-pre - mon @@ -123,7 +123,7 @@ services: echo admin | filebeat keystore add username --stdin --force echo SecretPassword| filebeat keystore add password --stdin --force curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json - curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module # copy filebeat to preserve correct permissions without # affecting host filesystem cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml @@ -136,7 +136,6 @@ services: - wm_certs:/etc/ssl/wazuh - ./config/filebeat/filebeat.yml:/tmp/filebeat.yml - wazuh.indexer: depends_on: generator: @@ -148,8 +147,8 @@ services: - mon <<: *logging environment: - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - - "OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config" + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' + - 'OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config' ulimits: memlock: soft: -1 @@ -165,15 +164,13 @@ services: healthcheck: test: [ - "CMD-SHELL", - "/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security", + 'CMD-SHELL', + '/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security', ] interval: 10s timeout: 10s retries: 120 - - wazuh.dashboard: image: wazuh/wazuh-dashboard:${WAZUH_STACK} hostname: wazuh.dashboard diff --git a/docker/wazuh-4.4-wz/pre.yml b/docker/wazuh-4.4-wz/pre.yml index 632a56405a..f724f3b902 100755 --- a/docker/wazuh-4.4-wz/pre.yml +++ b/docker/wazuh-4.4-wz/pre.yml @@ -5,13 +5,13 @@ x-logging: &logging logging: driver: loki options: - loki-url: "http://host.docker.internal:3100/loki/api/v1/push" + loki-url: 'http://host.docker.internal:3100/loki/api/v1/push' services: exporter: image: quay.io/prometheuscommunity/elasticsearch-exporter:latest <<: *logging - hostname: "exporter-kbn-${WAZUH_STACK}" + hostname: 'exporter-kbn-${WAZUH_STACK}' networks: - wzd-pre - mon @@ -22,7 +22,7 @@ services: imposter: image: outofcoffee/imposter - hostname: "imposter-kbn-${WAZUH_STACK}" + hostname: 'imposter-kbn-${WAZUH_STACK}' networks: - wzd-pre - mon @@ -42,64 +42,64 @@ services: - ./config/certs:/conf entrypoint: /bin/bash command: > - -c ' - export certs=/tmp/certs - mkdir $$certs - cd $$certs + -c ' + export certs=/tmp/certs + mkdir $$certs + cd $$certs + + echo "Generating CA" + cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + + echo "Generating servers certificates" + for i in wazuh.indexer wazuh.dashboard wazuh.manager; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Generating clients certificates" + for i in admin filebeat; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=client - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done - echo "Generating CA" - cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + echo "Setting up permissions" - echo "Generating servers certificates" - for i in wazuh.indexer wazuh.dashboard wazuh.manager; do - echo "Generating cert for $$i" - cat /conf/host.json | \ - sed "s/HOST/$$i/g" | \ - cfssl gencert \ - -ca $$certs/ca.pem \ - -ca-key $$certs/ca-key.pem \ - -config /conf/cfssl.json \ - -profile=server - | \ - cfssljson -bare $$i - openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key - done - - echo "Generating clients certificates" - for i in admin filebeat; do - echo "Generating cert for $$i" - cat /conf/host.json | \ - sed "s/HOST/$$i/g" | \ - cfssl gencert \ - -ca $$certs/ca.pem \ - -ca-key $$certs/ca-key.pem \ - -config /conf/cfssl.json \ - -profile=client - | \ - cfssljson -bare $$i - openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key - done - - echo "Setting up permissions" - - rm /certs/wi/* /certs/wd/* /certs/wm/* - - mv $$certs/wazuh.indexer* /certs/wi - mv $$certs/admin* /certs/wi - mv /certs/wi/admin.key /certs/wi/admin-key.pem - cp $$certs/*ca* /certs/wi - - mv $$certs/wazuh.dashboard* /certs/wd - cp $$certs/*ca* /certs/wd - - mv $$certs/*.* /certs/wm - - chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* - chown -R 1000:1000 /certs/* - ls -alR /certs/ - - sleep 30 - ' + rm /certs/wi/* /certs/wd/* /certs/wm/* + + mv $$certs/wazuh.indexer* /certs/wi + mv $$certs/admin* /certs/wi + mv /certs/wi/admin.key /certs/wi/admin-key.pem + cp $$certs/*ca* /certs/wi + + mv $$certs/wazuh.dashboard* /certs/wd + cp $$certs/*ca* /certs/wd + + mv $$certs/*.* /certs/wm + + chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* + chown -R 1000:1000 /certs/* + ls -alR /certs/ + + sleep 30 + ' healthcheck: - test: ["CMD-SHELL", "[ -r /certs/wm/wazuh.manager.pem ]"] + test: ['CMD-SHELL', '[ -r /certs/wm/wazuh.manager.pem ]'] interval: 2s timeout: 5s retries: 10 @@ -110,7 +110,7 @@ services: condition: service_healthy image: elastic/filebeat:7.10.2 hostname: filebeat - user: "0:0" + user: '0:0' networks: - wzd-pre - mon @@ -123,7 +123,7 @@ services: echo admin | filebeat keystore add username --stdin --force echo SecretPassword| filebeat keystore add password --stdin --force curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json - curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module # copy filebeat to preserve correct permissions without # affecting host filesystem cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml @@ -136,7 +136,6 @@ services: - wm_certs:/etc/ssl/wazuh - ./config/filebeat/filebeat.yml:/tmp/filebeat.yml - wazuh.indexer: depends_on: generator: @@ -148,8 +147,8 @@ services: - mon <<: *logging environment: - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - - "OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config" + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' + - 'OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config' ulimits: memlock: soft: -1 @@ -168,15 +167,13 @@ services: healthcheck: test: [ - "CMD-SHELL", - "/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security", + 'CMD-SHELL', + '/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security', ] interval: 10s timeout: 10s retries: 120 - - wazuh.dashboard: image: wazuh/wazuh-dashboard:${WAZUH_STACK} hostname: wazuh.dashboard diff --git a/docker/wazuh-4.5-wz/pre.yml b/docker/wazuh-4.5-wz/pre.yml index 632a56405a..f724f3b902 100755 --- a/docker/wazuh-4.5-wz/pre.yml +++ b/docker/wazuh-4.5-wz/pre.yml @@ -5,13 +5,13 @@ x-logging: &logging logging: driver: loki options: - loki-url: "http://host.docker.internal:3100/loki/api/v1/push" + loki-url: 'http://host.docker.internal:3100/loki/api/v1/push' services: exporter: image: quay.io/prometheuscommunity/elasticsearch-exporter:latest <<: *logging - hostname: "exporter-kbn-${WAZUH_STACK}" + hostname: 'exporter-kbn-${WAZUH_STACK}' networks: - wzd-pre - mon @@ -22,7 +22,7 @@ services: imposter: image: outofcoffee/imposter - hostname: "imposter-kbn-${WAZUH_STACK}" + hostname: 'imposter-kbn-${WAZUH_STACK}' networks: - wzd-pre - mon @@ -42,64 +42,64 @@ services: - ./config/certs:/conf entrypoint: /bin/bash command: > - -c ' - export certs=/tmp/certs - mkdir $$certs - cd $$certs + -c ' + export certs=/tmp/certs + mkdir $$certs + cd $$certs + + echo "Generating CA" + cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + + echo "Generating servers certificates" + for i in wazuh.indexer wazuh.dashboard wazuh.manager; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Generating clients certificates" + for i in admin filebeat; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=client - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done - echo "Generating CA" - cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + echo "Setting up permissions" - echo "Generating servers certificates" - for i in wazuh.indexer wazuh.dashboard wazuh.manager; do - echo "Generating cert for $$i" - cat /conf/host.json | \ - sed "s/HOST/$$i/g" | \ - cfssl gencert \ - -ca $$certs/ca.pem \ - -ca-key $$certs/ca-key.pem \ - -config /conf/cfssl.json \ - -profile=server - | \ - cfssljson -bare $$i - openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key - done - - echo "Generating clients certificates" - for i in admin filebeat; do - echo "Generating cert for $$i" - cat /conf/host.json | \ - sed "s/HOST/$$i/g" | \ - cfssl gencert \ - -ca $$certs/ca.pem \ - -ca-key $$certs/ca-key.pem \ - -config /conf/cfssl.json \ - -profile=client - | \ - cfssljson -bare $$i - openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key - done - - echo "Setting up permissions" - - rm /certs/wi/* /certs/wd/* /certs/wm/* - - mv $$certs/wazuh.indexer* /certs/wi - mv $$certs/admin* /certs/wi - mv /certs/wi/admin.key /certs/wi/admin-key.pem - cp $$certs/*ca* /certs/wi - - mv $$certs/wazuh.dashboard* /certs/wd - cp $$certs/*ca* /certs/wd - - mv $$certs/*.* /certs/wm - - chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* - chown -R 1000:1000 /certs/* - ls -alR /certs/ - - sleep 30 - ' + rm /certs/wi/* /certs/wd/* /certs/wm/* + + mv $$certs/wazuh.indexer* /certs/wi + mv $$certs/admin* /certs/wi + mv /certs/wi/admin.key /certs/wi/admin-key.pem + cp $$certs/*ca* /certs/wi + + mv $$certs/wazuh.dashboard* /certs/wd + cp $$certs/*ca* /certs/wd + + mv $$certs/*.* /certs/wm + + chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* + chown -R 1000:1000 /certs/* + ls -alR /certs/ + + sleep 30 + ' healthcheck: - test: ["CMD-SHELL", "[ -r /certs/wm/wazuh.manager.pem ]"] + test: ['CMD-SHELL', '[ -r /certs/wm/wazuh.manager.pem ]'] interval: 2s timeout: 5s retries: 10 @@ -110,7 +110,7 @@ services: condition: service_healthy image: elastic/filebeat:7.10.2 hostname: filebeat - user: "0:0" + user: '0:0' networks: - wzd-pre - mon @@ -123,7 +123,7 @@ services: echo admin | filebeat keystore add username --stdin --force echo SecretPassword| filebeat keystore add password --stdin --force curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json - curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module # copy filebeat to preserve correct permissions without # affecting host filesystem cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml @@ -136,7 +136,6 @@ services: - wm_certs:/etc/ssl/wazuh - ./config/filebeat/filebeat.yml:/tmp/filebeat.yml - wazuh.indexer: depends_on: generator: @@ -148,8 +147,8 @@ services: - mon <<: *logging environment: - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - - "OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config" + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' + - 'OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config' ulimits: memlock: soft: -1 @@ -168,15 +167,13 @@ services: healthcheck: test: [ - "CMD-SHELL", - "/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security", + 'CMD-SHELL', + '/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security', ] interval: 10s timeout: 10s retries: 120 - - wazuh.dashboard: image: wazuh/wazuh-dashboard:${WAZUH_STACK} hostname: wazuh.dashboard diff --git a/docker/wazuh-4.6/README.md b/docker/wazuh-4.6/README.md new file mode 100644 index 0000000000..e76e582ec1 --- /dev/null +++ b/docker/wazuh-4.6/README.md @@ -0,0 +1,142 @@ +# Wazuh Stack 4.6.x + +On this folder, we can find two types of environments: + +- release environment, managed by the `rel.sh` script +- prerelease environment managed by the `pre.sh` script + +### UI Credentials + +The default user and password to access the UI at https://0.0.0.0:5601/ are: + +``` +admin:SecretPassword +``` + +## Release environment + +This environment will start a working deployment with: + +- Wazuh Manager +- Wazuh Indexer +- Wazuh Dashboard + +Check the scripts for a list of the supported Wazuh versions. + +The environment expect the network `mon` to exists, either bring up the +`mon` stack or execute the following command: + +```bash +docker network create mon +``` + +The images used here are generated by the CI/CD team and uploaded into +the official Docker Hub organization. No Wazuh Agent image is provided yet, +so you'll need to deploy an agent in Docker manually, by following the +instructions below. + +### Image certificates + +Certificates are created automatically by the docker-compose, but if +it fails to create them with the appropriate permissions, we might need +to adjust them. + +This is related to the way the official Wazuh docker images are +prepared. + +### Registering agents using Docker + +To register an agent, we need to get the enrollment command from the +UI and then execute: + +- For `CentOS/8` images: + + ```bash + docker run --name wz-rel-agent-4.6.0 --rm --network wz-rel-450 --label com.docker.compose.project=wz-rel-450 -d centos:8 bash -c ' + sed -i -e "s|mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* + sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* + + # Change this command by the one the UI suggests. Add the -y flag and remove the `sudo`. + WAZUH_MANAGER='wazuh.manager' yum install -y https://packages.wazuh.com/4.x/yum5/x86_64/wazuh-agent-4.6.0-1.el5.x86_64.rpm + + /etc/init.d/wazuh-agent start + tail -f /var/ossec/logs/ossec.log + ' + ``` + +- For `Ubuntu` images + + ```bash + docker run --name wz-rel-agent-4.6.0 --network wz-rel-450 --label com.docker.compose.project=wz-rel-450 -d ubuntu:20.04 bash -c ' + apt update -y + apt install -y curl lsb-release + + # Change this command by the one the UI suggests to use. Remove the `sudo`. + curl -so wazuh-agent-4.6.0.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.6.0-1_amd64.deb && WAZUH_MANAGER='wazuh.manager' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.6.0.deb + + /etc/init.d/wazuh-agent start + tail -f /var/ossec/logs/ossec.log + ' + ``` + +- For `non-Linux` agents: + + We need to provision virtual machines. + +## Prerelease environment + +The prerelease environment helps us test app releases while the rest of +Wazuh packages haven't been generated yet. + +This environment will bring up: + +- Wazuh Indexer +- Wazuh Dashboard +- Filebeat +- Imposter + +### Usage + +The way to use this environment is to bring up a published Wazuh version to +later on upgrade the app with our pre-release package. + +While bring up the environment with the `pre.sh` script, specify the published +version of Wazuh with the `wazuh_version` argument, the new patch version of +Wazuh with `wazuh_api_version` and finally follow the steps provided by the +scripts. + +Example: test a package for Wazuh 4.6.0 + +```bash +./pre.sh 4.6.0 0 up +``` + +```bash +./pre.sh wazuh_version wazuh_api_version action + +where + wazuh_version is one of + wazuh_api_version is the minor version of wazuh 4.6, for example 5 17 + action is one of up | down + +In a minor release, the API should not change the version here bumps the API + string returned for testing. This script generates the file + + config/imposter/api_info.json + +used by the mock server +``` + +Please take into account that the API version for this environment will +always be a 4.6.x version. Also consider that our application version +must be the same as the one selected here. + +### App upgrade + +Follow the instructions provided by the `pre.sh` script. + +### Agent enrollment + +Because we're not using a real Wazuh Manager, we cannot register new agents. +Instead, Imposter (the mock server) will provide mocked responds to valid API +requests, as if it were the real Wazuh server. diff --git a/docker/wazuh-4.6/config/certs/ca.json b/docker/wazuh-4.6/config/certs/ca.json new file mode 100644 index 0000000000..8a96a70a42 --- /dev/null +++ b/docker/wazuh-4.6/config/certs/ca.json @@ -0,0 +1,15 @@ +{ + "CN": "Wazuh", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "San Francisco", + "O": "Wazuh", + "OU": "Wazuh Root CA" + } + ] +} diff --git a/docker/wazuh-4.6/config/certs/cfssl.json b/docker/wazuh-4.6/config/certs/cfssl.json new file mode 100644 index 0000000000..d23daf7621 --- /dev/null +++ b/docker/wazuh-4.6/config/certs/cfssl.json @@ -0,0 +1,58 @@ +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "intermediate_ca": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "cert sign", + "crl sign", + "server auth", + "client auth" + ], + "expiry": "8760h", + "ca_constraint": { + "is_ca": true, + "max_path_len": 0, + "max_path_len_zero": true + } + }, + "peer": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth", + "server auth" + ], + "expiry": "8760h" + }, + "server": { + "usages": [ + "signing", + "digital signing", + "key encipherment", + "data encipherment", + "server auth" + ], + "expiry": "8760h" + }, + "client": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth" + ], + "expiry": "8760h" + } + } + } +} + diff --git a/docker/wazuh-4.6/config/certs/host.json b/docker/wazuh-4.6/config/certs/host.json new file mode 100644 index 0000000000..27805da58e --- /dev/null +++ b/docker/wazuh-4.6/config/certs/host.json @@ -0,0 +1,19 @@ +{ + "CN": "HOST", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "California", + "O": "Wazuh", + "OU": "Wazuh" + } + ], + "hosts": [ + "HOST", + "localhost" + ] +} diff --git a/docker/wazuh-4.6/config/filebeat/filebeat.yml b/docker/wazuh-4.6/config/filebeat/filebeat.yml new file mode 100644 index 0000000000..e22b1f97ca --- /dev/null +++ b/docker/wazuh-4.6/config/filebeat/filebeat.yml @@ -0,0 +1,22 @@ + +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false + +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.template.overwrite: true +setup.ilm.enabled: false +output.elasticsearch: + hosts: ['https://wazuh.indexer:9200'] + username: 'admin' + password: 'SecretPassword' + ssl.verification_mode: full + ssl.certificate_authorities: ['/etc/ssl/wazuh/ca.pem'] + ssl.certificate: '/etc/ssl/wazuh/filebeat.pem' + ssl.key: '/etc/ssl/wazuh/filebeat-key.pem' diff --git a/docker/wazuh-4.6/config/imposter/api_info.json b/docker/wazuh-4.6/config/imposter/api_info.json new file mode 100644 index 0000000000..126f87cfe7 --- /dev/null +++ b/docker/wazuh-4.6/config/imposter/api_info.json @@ -0,0 +1,12 @@ +{ + "data": { + "title": "Wazuh API REST", + "api_version": "4.6.0", + "revision": 40316, + "license_name": "GPL 2.0", + "license_url": "https://github.com/wazuh/wazuh/blob/4.6/LICENSE", + "hostname": "imposter", + "timestamp": "2022-06-13T17:20:03Z" + }, + "error": 0 +} diff --git a/docker/wazuh-4.6/config/imposter/login.js b/docker/wazuh-4.6/config/imposter/login.js new file mode 100755 index 0000000000..86c2eb4180 --- /dev/null +++ b/docker/wazuh-4.6/config/imposter/login.js @@ -0,0 +1,42 @@ +exports = {}; + +load('https://raw.githubusercontent.com/kjur/jsrsasign/master/npm/lib/jsrsasign.js', exports); +header = { + "alg": "HS256", + "typ": "JWT", + "kid": "vpaas-magic-cookie-1fc542a3e4414a44b2611668195e2bfe/4f4910" +}; + +// The second part of the token is the payload, which contains the claims. +// Claims are statements about an entity (typically, the user) and +// additional data. There are three types of claims: +// registered, public, and private claims. +nbf = Date.now()-1000; + +claims = { + "iss": "wazuh", + "aud": "Wazuh API REST", + "nbf": nbf, + "exp": nbf+3600000, + "sub": "wazuh", + "rbac_roles": [ + 1 + ], + "rbac_mode": "white" +}; + + +jwt = KJUR.jws.JWS.sign("HS256", JSON.stringify(header), JSON.stringify(claims), "616161"); + +resp = { + "data": { + "token": jwt, + "error": 0 + } +}; + +respond() + .withStatusCode(200) + .withData(JSON.stringify(resp)); + + diff --git a/docker/wazuh-4.6/config/imposter/wazuh-config.yml b/docker/wazuh-4.6/config/imposter/wazuh-config.yml new file mode 100755 index 0000000000..ace39bf4a0 --- /dev/null +++ b/docker/wazuh-4.6/config/imposter/wazuh-config.yml @@ -0,0 +1,16 @@ +--- +plugin: openapi +specFile: https://raw.githubusercontent.com/wazuh/wazuh/v4.4.0/api/api/spec/spec.yaml + +resources: + - path: /security/user/authenticate + method: POST + response: + statusCode: 200 + scriptFile: login.js + - path: / + method: get + response: + statusCode: 200 + staticFile: api_info.json + diff --git a/docker/wazuh-4.6/config/wazuh_cluster/wazuh_manager.conf b/docker/wazuh-4.6/config/wazuh_cluster/wazuh_manager.conf new file mode 100755 index 0000000000..aff1af9d6c --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_cluster/wazuh_manager.conf @@ -0,0 +1,353 @@ + + + yes + yes + no + no + no + smtp.example.wazuh.com + wazuh@example.wazuh.com + recipient@example.wazuh.com + 12 + alerts.log + 10m + 0 + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + etc/rootcheck/rootkit_files.txt + etc/rootcheck/rootkit_trojans.txt + + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + 10 + + + + + yes + yes + 12h + yes + + + + no + 5m + 6h + yes + + + + no + trusty + xenial + bionic + focal + 1h + + + + + no + stretch + buster + bullseye + 1h + + + + + no + 5 + 6 + 7 + 8 + 1h + + + + + no + amazon-linux + amazon-linux-2 + 1h + + + + + no + 1h + + + + + yes + 1h + + + + + yes + 2010 + 1h + + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + .log$|.swp$ + + + /etc/ssl/private.key + + yes + yes + yes + yes + + + 10 + + + 100 + + + + yes + 5m + 1h + 10 + + + + + + 127.0.0.1 + ^localhost.localdomain$ + 10.0.0.106 + + + + disable-account + disable-account + yes + + + + restart-wazuh + restart-wazuh + + + + firewall-drop + firewall-drop + yes + + + + host-deny + host-deny + yes + + + + route-null + route-null + yes + + + + win_route-null + route-null.exe + yes + + + + netsh + netsh.exe + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + + yes + 1 + 64 + 15m + + + + + no + 1515 + no + yes + no + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + etc/sslmanager.cert + etc/sslmanager.key + no + + + + wazuh + node01 + master + + 1516 + 0.0.0.0 + + NODE_IP + + no + yes + + + + + + + syslog + /var/ossec/logs/active-responses.log + + + diff --git a/docker/wazuh-4.6/config/wazuh_dashboard/wazuh.yml b/docker/wazuh-4.6/config/wazuh_dashboard/wazuh.yml new file mode 100755 index 0000000000..dca5610652 --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_dashboard/wazuh.yml @@ -0,0 +1,14 @@ +hosts: + - imposter: + url: "http://imposter" + port: 8080 + username: wazuh-wui + password: MyS3cr37P450r.*- + run_as: false + + - 1513629884013: + url: https://wazuh.manager + port: 55000 + username: wazuh-wui + password: MyS3cr37P450r.*- + run_as: false diff --git a/docker/wazuh-4.6/config/wazuh_dashboard/wazuh_dashboard.yml b/docker/wazuh-4.6/config/wazuh_dashboard/wazuh_dashboard.yml new file mode 100755 index 0000000000..741fa3c019 --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_dashboard/wazuh_dashboard.yml @@ -0,0 +1,15 @@ +server.host: 0.0.0.0 +server.port: 5601 +opensearch.hosts: https://wazuh.indexer:9200 +opensearch.ssl.verificationMode: certificate +opensearch.requestHeadersAllowlist: ['securitytenant', 'Authorization'] +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ['kibana_read_only'] +server.ssl.enabled: true +server.ssl.key: '/usr/share/wazuh-dashboard/certs/wazuh.dashboard.key' +server.ssl.certificate: '/usr/share/wazuh-dashboard/certs/wazuh.dashboard.pem' +opensearch.ssl.certificateAuthorities: + ['/usr/share/wazuh-dashboard/certs/ca.pem'] +uiSettings.overrides.defaultRoute: /app/wazuh +opensearch.username: 'kibanaserver' +opensearch.password: 'kibanaserver' diff --git a/docker/wazuh-4.6/config/wazuh_dashboard/wazuh_dashboard_saml.yml b/docker/wazuh-4.6/config/wazuh_dashboard/wazuh_dashboard_saml.yml new file mode 100755 index 0000000000..ce5d198300 --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_dashboard/wazuh_dashboard_saml.yml @@ -0,0 +1,16 @@ +server.host: 0.0.0.0 +server.port: 5601 +opensearch.hosts: https://wazuh.indexer:9200 +opensearch.ssl.verificationMode: certificate +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh.dashboard.key" +server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh.dashboard.pem" +opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/ca.pem"] +uiSettings.overrides.defaultRoute: /app/wazuh +opensearch.username: "kibanaserver" +opensearch.password: "kibanaserver" +opensearch_security.auth.type: "saml" +server.xsrf.whitelist: [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout] diff --git a/docker/wazuh-4.6/config/wazuh_indexer/config-saml.yml b/docker/wazuh-4.6/config/wazuh_indexer/config-saml.yml new file mode 100644 index 0000000000..74fc91c8c4 --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_indexer/config-saml.yml @@ -0,0 +1,40 @@ +--- +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + http: + anonymous_auth_enabled: false + authc: + internal_auth: + order: 0 + description: "HTTP basic authentication using the internal user database" + http_enabled: true + transport_enabled: true + http_authenticator: + type: basic + challenge: false + authentication_backend: + type: internal + saml_auth: + order: 1 + description: "Keycloack SAML provider" + http_enabled: true + transport_enabled: false + http_authenticator: + type: saml + challenge: true + config: + idp: + metadata_url: http://idp:8080/realms/wazuh/protocol/saml/descriptor + entity_id: http://idp:8080/realms/wazuh + sp: + entity_id: wazuh + signature_private_key_filepath: "certs/admin-key.pem" + kibana_url: https://localhost:5601 + roles_key: Role + exchange_key: 1a2a3a4a5a6a7a8a9a0a1b2b3b4b5b6b + authentication_backend: + type: noop diff --git a/docker/wazuh-4.6/config/wazuh_indexer/config.yml b/docker/wazuh-4.6/config/wazuh_indexer/config.yml new file mode 100644 index 0000000000..74fc91c8c4 --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_indexer/config.yml @@ -0,0 +1,40 @@ +--- +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + http: + anonymous_auth_enabled: false + authc: + internal_auth: + order: 0 + description: "HTTP basic authentication using the internal user database" + http_enabled: true + transport_enabled: true + http_authenticator: + type: basic + challenge: false + authentication_backend: + type: internal + saml_auth: + order: 1 + description: "Keycloack SAML provider" + http_enabled: true + transport_enabled: false + http_authenticator: + type: saml + challenge: true + config: + idp: + metadata_url: http://idp:8080/realms/wazuh/protocol/saml/descriptor + entity_id: http://idp:8080/realms/wazuh + sp: + entity_id: wazuh + signature_private_key_filepath: "certs/admin-key.pem" + kibana_url: https://localhost:5601 + roles_key: Role + exchange_key: 1a2a3a4a5a6a7a8a9a0a1b2b3b4b5b6b + authentication_backend: + type: noop diff --git a/docker/wazuh-4.6/config/wazuh_indexer/internal_users.yml b/docker/wazuh-4.6/config/wazuh_indexer/internal_users.yml new file mode 100755 index 0000000000..d9f05b343b --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_indexer/internal_users.yml @@ -0,0 +1,56 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" diff --git a/docker/wazuh-4.6/config/wazuh_indexer/opensearch.yml b/docker/wazuh-4.6/config/wazuh_indexer/opensearch.yml new file mode 100644 index 0000000000..ee1dbf59d5 --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_indexer/opensearch.yml @@ -0,0 +1,42 @@ +network.host: "0.0.0.0" +node.name: "os1" +path.data: /var/lib/os1 +path.logs: /var/log/os1 +# comment compatibility.override_main_response_version for 2.0.0 +compatibility.override_main_response_version: true +plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/os1.pem +plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/os1.key +plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/ca.pem +plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/os1.pem +plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/os1.key +plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.authcz.admin_dn: + - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: + - "CN=os1,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: + - "all_access" + - "security_rest_api_access" +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opensearch-observability", + ".opendistro-asynchronous-search-response*", + ".replication-metadata-store", + ] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false diff --git a/docker/wazuh-4.6/config/wazuh_indexer/roles.yml b/docker/wazuh-4.6/config/wazuh_indexer/roles.yml new file mode 100644 index 0000000000..5b35df448b --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_indexer/roles.yml @@ -0,0 +1,149 @@ +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on kibana +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + +# Allows users to view monitors, destinations and alerts +alerting_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/alerting/alerts/get" + - "cluster:admin/opendistro/alerting/destination/get" + - "cluster:admin/opendistro/alerting/monitor/get" + - "cluster:admin/opendistro/alerting/monitor/search" + +# Allows users to view and acknowledge alerts +alerting_ack_alerts: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/alerting/alerts/*" + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + cluster_permissions: + - "cluster_monitor" + - "cluster:admin/opendistro/alerting/*" + index_permissions: + - index_patterns: + - "*" + allowed_actions: + - "indices_monitor" + - "indices:admin/aliases/get" + - "indices:admin/mappings/get" + +# Allow users to read Anomaly Detection detectors and results +anomaly_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ad/detector/info" + - "cluster:admin/opendistro/ad/detector/search" + - "cluster:admin/opendistro/ad/detectors/get" + - "cluster:admin/opendistro/ad/result/search" + - "cluster:admin/opendistro/ad/tasks/search" + +# Allows users to use all Anomaly Detection functionality +anomaly_full_access: + reserved: true + cluster_permissions: + - "cluster_monitor" + - "cluster:admin/opendistro/ad/*" + index_permissions: + - index_patterns: + - "*" + allowed_actions: + - "indices_monitor" + - "indices:admin/aliases/get" + - "indices:admin/mappings/get" + +# Allows users to read Notebooks +notebooks_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/notebooks/list" + - "cluster:admin/opendistro/notebooks/get" + +# Allows users to all Notebooks functionality +notebooks_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/notebooks/create" + - "cluster:admin/opendistro/notebooks/update" + - "cluster:admin/opendistro/notebooks/delete" + - "cluster:admin/opendistro/notebooks/get" + - "cluster:admin/opendistro/notebooks/list" + +# Allows users to read and download Reports +reports_instances_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/reports/instance/list" + - "cluster:admin/opendistro/reports/instance/get" + - "cluster:admin/opendistro/reports/menu/download" + +# Allows users to read and download Reports and Report-definitions +reports_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/reports/definition/get" + - "cluster:admin/opendistro/reports/definition/list" + - "cluster:admin/opendistro/reports/instance/list" + - "cluster:admin/opendistro/reports/instance/get" + - "cluster:admin/opendistro/reports/menu/download" + +# Allows users to all Reports functionality +reports_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/reports/definition/create" + - "cluster:admin/opendistro/reports/definition/update" + - "cluster:admin/opendistro/reports/definition/on_demand" + - "cluster:admin/opendistro/reports/definition/delete" + - "cluster:admin/opendistro/reports/definition/get" + - "cluster:admin/opendistro/reports/definition/list" + - "cluster:admin/opendistro/reports/instance/list" + - "cluster:admin/opendistro/reports/instance/get" + - "cluster:admin/opendistro/reports/menu/download" + +# Allows users to use all asynchronous-search functionality +asynchronous_search_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/asynchronous_search/*" + index_permissions: + - index_patterns: + - "*" + allowed_actions: + - "indices:data/read/search*" + +# Allows users to read stored asynchronous-search results +asynchronous_search_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/asynchronous_search/get" + +# Wazuh monitoring and statistics index permissions +manage_wazuh_index: + reserved: true + hidden: false + cluster_permissions: [] + index_permissions: + - index_patterns: + - "wazuh-*" + dls: "" + fls: [] + masked_fields: [] + allowed_actions: + - "read" + - "delete" + - "manage" + - "index" + tenant_permissions: [] + static: false diff --git a/docker/wazuh-4.6/config/wazuh_indexer/roles_mapping.yml b/docker/wazuh-4.6/config/wazuh_indexer/roles_mapping.yml new file mode 100644 index 0000000000..94c2b46613 --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_indexer/roles_mapping.yml @@ -0,0 +1,88 @@ +--- +# In this file users, backendroles and hosts can be mapped to Open Distro Security roles. +# Permissions for Opendistro roles are configured in roles.yml + +_meta: + type: "rolesmapping" + config_version: 2 + +# Define your roles mapping here + +## Default roles mapping + +all_access: + reserved: true + hidden: false + backend_roles: + - "admin" + hosts: [] + users: [] + and_backend_roles: [] + description: "Maps admin to all_access" + +own_index: + reserved: false + hidden: false + backend_roles: [] + hosts: [] + users: + - "*" + and_backend_roles: [] + description: "Allow full access to an index named like the username" + +logstash: + reserved: false + hidden: false + backend_roles: + - "logstash" + hosts: [] + users: [] + and_backend_roles: [] + +readall: + reserved: true + hidden: false + backend_roles: + - "readall" + hosts: [] + users: [] + and_backend_roles: [] + +manage_snapshots: + reserved: true + hidden: false + backend_roles: + - "snapshotrestore" + hosts: [] + users: [] + and_backend_roles: [] + +kibana_server: + reserved: true + hidden: false + backend_roles: [] + hosts: [] + users: + - "kibanaserver" + and_backend_roles: [] + +kibana_user: + reserved: false + hidden: false + backend_roles: + - "kibanauser" + hosts: [] + users: [] + and_backend_roles: [] + description: "Maps kibanauser to kibana_user" + + # Wazuh monitoring and statistics index permissions +manage_wazuh_index: + reserved: true + hidden: false + backend_roles: [] + hosts: [] + users: + - "kibanaserver" + - "admin" + and_backend_roles: [] diff --git a/docker/wazuh-4.6/config/wazuh_indexer/wazuh.indexer.yml b/docker/wazuh-4.6/config/wazuh_indexer/wazuh.indexer.yml new file mode 100755 index 0000000000..3b31ac37d0 --- /dev/null +++ b/docker/wazuh-4.6/config/wazuh_indexer/wazuh.indexer.yml @@ -0,0 +1,28 @@ +network.host: "0.0.0.0" +node.name: "wazuh.indexer" +path.data: /var/lib/wazuh-indexer +path.logs: /var/log/wazuh-indexer +discovery.type: single-node +compatibility.override_main_response_version: true +plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem +plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key +plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/ca.pem +plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem +plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key +plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +- "CN=os1,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false \ No newline at end of file diff --git a/docker/wazuh-4.6/enable_saml.sh b/docker/wazuh-4.6/enable_saml.sh new file mode 100755 index 0000000000..41d3fb8a22 --- /dev/null +++ b/docker/wazuh-4.6/enable_saml.sh @@ -0,0 +1,165 @@ +#!/bin/bash + +# idp container launches and docker-compose returns too quickly, do not wait for container to +# be healthy as it has no dependencies, so we wait before continuing +sleep 7 + + +indexer="$1-wazuh.indexer-1" +dashboard="$1-wazuh.dashboard-1" + +# Setup keycloack to be used with wazuh-dashboards + +# Connection +U="admin" +P="admin" +B="http://idp:8080" + +# Realm +REALM="master" + +# Get ACCESS_TOKEN from default install +ACCESS_TOKEN=$(curl -sS \ + -d 'client_id=admin-cli' \ + -d 'username=admin' \ + -d 'password=admin' \ + -d 'grant_type=password' \ + "${B}/realms/master/protocol/openid-connect/token" | jq -r '.access_token') + +H=('-H' 'Content-Type: application/json' '-H' "Authorization: Bearer $ACCESS_TOKEN") + +# Create new REALM +REALM="wazuh" +P='{ + "id": "wazuh", + "realm": "wazuh", + "enabled": true +}' + +curl -sS -L -X POST "${B}/admin/realms" "${H[@]}" -d "$P" | grep -v "Conflict detected" + + +# Add admin certificates to keycloak as these are used by indexer to sign saml +# messages. These should be uploaded to keycloak if we want it to verify indexer messages. +key=$(cat /certs/wi/admin-key.pem | grep -v "PRIVATE KEY" | tr -d "\n") +cert=$(cat /certs/wi/admin.pem | grep -v CERTIFICATE | tr -d "\n") + + +# Create client +# By default the client does not verify the client signature on saml messages +# but it could be enabled for testing purposes +PC="{ + \"protocol\": \"saml\", + \"name\": \"wazuh\", + \"clientId\": \"wazuh\", + \"description\": \"wazuh saml integration\", + \"baseUrl\": \"https://localhost:5601\", + \"rootUrl\": \"https://localhost:5601\", + \"redirectUris\": [\"https://localhost:5601/*\"], + \"attributes\" : { + \"saml_single_logout_service_url_redirect\": \"https://localhost:5601/_opendistro/_security/saml/logout\", + \"saml_assertion_consumer_url_post\": \"https://localhost:5601/_opendistro/_security/saml/acs/idpinitiated\", + \"saml_single_logout_service_url_post\": \"https://wazuh.dashboard:5601/_opendistro/_security/saml/logout\", + \"saml.force.post.binding\": \"false\", + \"saml.signing.certificate\": \"$cert\", + \"saml.signing.private.key\": \"$key\", + \"saml.client.signature\": \"true\", + \"saml_single_logout_service_url_redirect\": \"https://localhost:5601\", + \"post.logout.redirect.uris\": \"https://localhost:5601*\" + } +}" + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/clients" "${H[@]}" -d "$PC" | grep -v "Client wazuh already exists" + +# Get a client json representation +CLIENT=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/clients" "${H[@]}" -G -d 'clientId=wazuh' |jq '.[] | select(.clientId=="wazuh")') + +# Get client id +CID=$(echo $CLIENT | jq -r '.id' ) + +# Generate all-access and admin role for the realm +PR1='{ + "name":"all-access" +}' + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/roles" "${H[@]}" -d "$PR1" | grep -v "Role with name all-access already exists" + +PR2='{ + "name":"admin" +}' + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/roles" "${H[@]}" -d "$PR2" | grep -v "Role with name admin already exists" + + +## create new user +PU='{ + "username": "wazuh", + "email": "hello@wazuh.com", + "firstName": "Wazuh", + "lastName": "Wazuh", + "emailVerified": true, + "enabled": true, + "credentials": [{"temporary":false,"type":"password","value":"wazuh"}], + "realmRoles": ["admin", "all-access"] +}' + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/users" "${H[@]}" -d "$PU" | grep -v "User exists with same username" + +## Get a user json representation +USER=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/users" "${H[@]}" -G -d 'username=wazuh' |jq '.[] | select(.username=="wazuh")') + +### Get user id +USERID=$(echo $USER | jq -r '.id' ) + +# Get roles +ROLES=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/roles" "${H[@]}" -d "$PR2" ) + +## Assign role +ADMINID=$(echo $ROLES | jq -r '.[] | select(.name=="admin").id') +ALLACCESSID=$(echo $ROLES | jq -r '.[] | select(.name=="all-access").id') + +PA1="[ + { + \"id\": \"$ADMINID\", + \"name\": \"admin\", + \"composite\": false, + \"clientRole\": false, + \"containerId\": \"wazuh\" + }, + { + \"id\": \"$ALLACCESSID\", + \"name\": \"all-access\", + \"description\": \"\", + \"composite\": false, + \"clientRole\": false, + \"containerId\": \"wazuh\" + } +]" + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/users/${USERID}/role-mappings/realm" "${H[@]}" -d "$PA1" + +# Get list of client scopes +CSCOPES=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/client-scopes" "${H[@]}") +CSID=$(echo $CSCOPES | jq -r '.[] | select(.name=="role_list").id ') +CSR=$(echo $CSCOPES | jq -r '.[] | select(.name=="role_list") ') + + +# Set single to true, so opensearch works +UPDATE=$(echo $CSR | jq '.protocolMappers[] | select(.name=="role list").config.single |= "true" ') +PMID=$(echo $CSR | jq -r '.protocolMappers[] | select(.name=="role list").id') + +curl -sS -L -X PUT "${B}/admin/realms/${REALM}/client-scopes/$CSID/protocol-mappers/models/$PMID" "${H[@]}" -d "$UPDATE" + +# Set up auth realm on opensearch +certs="/usr/share/wazuh-indexer/certs" +ca="$certs/ca.pem" +cert="$certs/admin.pem" +key="$certs/admin-key.pem" + +securityadmin="bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh" +config_path="/usr/share/wazuh-indexer/opensearch-security/" + +echo "To update configuration in indexer, you can run:" +echo docker exec -e JAVA_HOME=/usr/share/wazuh-indexer/jdk $indexer $securityadmin -cacert $ca -cert $cert -key $key -cd $config_path + + diff --git a/docker/wazuh-4.6/pre.sh b/docker/wazuh-4.6/pre.sh new file mode 100755 index 0000000000..fbf7297c91 --- /dev/null +++ b/docker/wazuh-4.6/pre.sh @@ -0,0 +1,109 @@ +#!/usr/bin/env bash + +versions=( + "4.6.0" +) + +wazuh_api_version=( + "0" +) + +usage() { + echo + echo "./pre.sh wazuh_version wazuh_api_version action " + echo + echo "where" + echo " wazuh_version is one of ${versions[*]}" + echo " wazuh_api_version is the patch version of wazuh 4.6, for example " ${wazuh_api_version[*]} + echo " action is one of up | down | stop" + echo + echo "In a minor release, the API should not change the version here bumps the API" + echo " string returned for testing. This script generates the file " + echo + echo " config/imposter/api_info.json" + echo + echo "used by the mock server" + exit -1 +} + +if [ $# -ne 3 ]; then + echo "Incorrect number of arguments " $# + usage +fi + +if [[ ! " ${versions[*]} " =~ " ${1} " ]]; then + echo "Version ${1} not found in ${versions[*]}" + exit -1 +fi + +[ -n "$2" ] && [ "$2" -eq "$2" ] 2>/dev/null +if [ $? -ne 0 ]; then + echo "$2 is not number" + exit -1 +fi + +patch_version=$2 +cat <config/imposter/api_info.json +{ + "data": { + "title": "Wazuh API REST", + "api_version": "4.6.${patch_version}", + "revision": 40316, + "license_name": "GPL 2.0", + "license_url": "https://github.com/wazuh/wazuh/blob/4.6/LICENSE", + "hostname": "imposter", + "timestamp": "2022-06-13T17:20:03Z" + }, + "error": 0 +} +EOF + +export WAZUH_STACK=${1} +export KIBANA_PORT=5601 +export KIBANA_PASSWORD=${PASSWORD:-SecretPassword} +export COMPOSE_PROJECT_NAME=wz-pre-${WAZUH_STACK//./} + +case "$3" in +up) + # recreate volumes + docker compose -f pre.yml up -Vd + + # This installs Wazuh and integrates with a default Wazuh stack + # v=$( echo -n $WAZUH_STACK | sed 's/\.//g' ) + echo + echo "Install the pre-release package manually with:" + echo + echo "1. Uninstall current version of the Wazuh app:" + echo "docker exec -ti ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1 /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin remove wazuh" + echo + echo "2. Restart Wazuh Dashboard:" + echo "docker restart ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1" + echo + echo "3. Copy the pre-release package to the running Wazuh Dashboard container:" + echo docker cp wazuh-4.6.${patch_version}-1.zip ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1:/tmp + echo + echo "4. Install the package we have just uploaded:" + echo "docker exec -ti ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1 /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin install file:///tmp/wazuh-4.6.${patch_version}-1.zip" + echo + echo "5. Restart the Wazuh Dashboard container:" + echo "docker restart ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1" + echo + echo "6. Upload the Wazuh app configuration:" + echo "docker cp ./config/wazuh_dashboard/wazuh.yml ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1:/usr/share/wazuh-dashboard/data/wazuh/config/" + echo + echo "7. Access the running instance in:" + echo "https://localhost:${KIBANA_PORT}" + echo + ;; +down) + # delete volumes + docker compose -f pre.yml down -v --remove-orphans + ;; +stop) + docker compose -f rel.yml -p "${COMPOSE_PROJECT_NAME}" stop + ;; +*) + echo "Action must be either up or down" + usage + ;; +esac diff --git a/docker/wazuh-4.6/pre.yml b/docker/wazuh-4.6/pre.yml new file mode 100755 index 0000000000..7f22362cd1 --- /dev/null +++ b/docker/wazuh-4.6/pre.yml @@ -0,0 +1,212 @@ +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) +version: '3.9' + +# x-logging: &logging +# logging: +# driver: loki +# options: +# loki-url: "http://host.docker.internal:3100/loki/api/v1/push" + +services: + exporter: + image: quay.io/prometheuscommunity/elasticsearch-exporter:latest + # <<: *logging + hostname: 'exporter-kbn-${WAZUH_STACK}' + networks: + - wzd-pre + - mon + command: + - '--es.uri=https://admin:${KIBANA_PASSWORD}@wazuh.indexer:9200' + - '--es.ssl-skip-verify' + - '--es.all' + + imposter: + image: outofcoffee/imposter + hostname: 'imposter-kbn-${WAZUH_STACK}' + networks: + - wzd-pre + - mon + # <<: *logging + environment: + - JAVA_OPTS="-Xmx512m -Xss512k -Dfile.encoding=UTF-8 -XX:MaxRAM=800m -XX:MaxRAMPercentage=95 -XX:MinRAMPercentage=60A" + - MALLOC_ARENA_MAX=1 + volumes: + - ./config/imposter:/opt/imposter/config + + generator: + image: cfssl/cfssl + volumes: + - wi_certs:/certs/wi + - wd_certs:/certs/wd + - wm_certs:/certs/wm + - ./config/certs:/conf + entrypoint: /bin/bash + command: > + -c ' + export certs=/tmp/certs + mkdir $$certs + cd $$certs + + echo "Generating CA" + cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + + echo "Generating servers certificates" + for i in wazuh.indexer wazuh.dashboard wazuh.manager; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Generating clients certificates" + for i in admin filebeat; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=client - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Setting up permissions" + + rm /certs/wi/* /certs/wd/* /certs/wm/* + + mv $$certs/wazuh.indexer* /certs/wi + mv $$certs/admin* /certs/wi + mv /certs/wi/admin.key /certs/wi/admin-key.pem + cp $$certs/*ca* /certs/wi + + mv $$certs/wazuh.dashboard* /certs/wd + cp $$certs/*ca* /certs/wd + + mv $$certs/*.* /certs/wm + + chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* + chown -R 1000:1000 /certs/* + ls -alR /certs/ + + sleep 30 + ' + healthcheck: + test: ['CMD-SHELL', '[ -r /certs/wm/wazuh.manager.pem ]'] + interval: 2s + timeout: 5s + retries: 10 + + filebeat: + depends_on: + wazuh.indexer: + condition: service_healthy + image: elastic/filebeat:7.10.2 + hostname: filebeat + user: '0:0' + networks: + - wzd-pre + - mon + # <<: *logging + entrypoint: + - '/bin/bash' + command: > + -c ' + mkdir -p /etc/filebeat + echo admin | filebeat keystore add username --stdin --force + echo SecretPassword| filebeat keystore add password --stdin --force + curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + # copy filebeat to preserve correct permissions without + # affecting host filesystem + cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml + chown root.root /usr/share/filebeat/filebeat.yml + chmod go-w /usr/share/filebeat/filebeat.yml + filebeat setup -e + filebeat + ' + volumes: + - wm_certs:/etc/ssl/wazuh + - ./config/filebeat/filebeat.yml:/tmp/filebeat.yml + + wazuh.indexer: + depends_on: + generator: + condition: service_healthy + image: wazuh/wazuh-indexer:${WAZUH_STACK} + hostname: wazuh.indexer + networks: + - wzd-pre + - mon + # <<: *logging + environment: + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' + - 'OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config' + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - wazuh-indexer-data:/var/lib/wazuh-indexer + - wi_certs:/usr/share/wazuh-indexer/certs/ + - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml + - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml + - ./config/wazuh_indexer/config.yml:/usr/share/wazuh-indexer/opensearch-security/config.yml + - ./config/wazuh_indexer/roles.yml:/usr/share/wazuh-indexer/opensearch-security/roles.yml + - ./config/wazuh_indexer/roles_mapping.yml:/usr/share/wazuh-indexer/opensearch-security/roles_mapping.yml + healthcheck: + test: + [ + 'CMD-SHELL', + '/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security', + ] + interval: 10s + timeout: 10s + retries: 120 + + wazuh.dashboard: + image: wazuh/wazuh-dashboard:${WAZUH_STACK} + hostname: wazuh.dashboard + depends_on: + wazuh.indexer: + condition: service_healthy + networks: + - wzd-pre + - mon + # <<: *logging + ports: + - ${KIBANA_PORT}:5601 + environment: + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=SecretPassword + - WAZUH_API_URL=http://imposter:8080 + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - wd_certs:/usr/share/wazuh-dashboard/certs + - ./config/wazuh_dashboard/wazuh_dashboards.yml:/usr/share/wazuh-dashboard/config/wazuh_dashboards.yml + - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml + +networks: + networks: + wzd-pre: + name: wzd-pre-${WAZUH_STACK} + driver: bridge + mon: + external: true + +volumes: + wazuh-indexer-data: + wi_certs: + wd_certs: + wm_certs: diff --git a/docker/wazuh-4.6/rel.sh b/docker/wazuh-4.6/rel.sh new file mode 100755 index 0000000000..d3b3d18270 --- /dev/null +++ b/docker/wazuh-4.6/rel.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env bash + +versions=( + "4.6.0" +) + +usage() { + echo + echo "$0 version action [saml]" + echo + echo "where version is one of ${versions[*]}" + echo "action is one of up | down | stop" + echo "saml to deploy a saml enabled environment" + exit -1 +} + +if [ $# -lt 2 ]; then + echo "Incorrect number of arguments " $# + usage +fi + +if [[ ! " ${versions[*]} " =~ " ${1} " ]]; then + echo "Version ${1} not found in ${versions[*]}" + exit -1 +fi + +export WAZUH_STACK=${1} +export KIBANA_PORT=5601 +export KIBANA_PASSWORD=${PASSWORD:-SecretPassword} +export COMPOSE_PROJECT_NAME=wz-rel-${WAZUH_STACK//./} + +profile="standard" +export WAZUH_DASHBOARD_CONF=./config/wazuh_dashboard/wazuh_dashboard.yml +export SEC_CONFIG_FILE=./config/wazuh_indexer/config.yml + +if [[ "$3" =~ "saml" ]]; then + profile="saml" + export WAZUH_DASHBOARD_CONF=./config/wazuh_dashboard/wazuh_dashboard_saml.yml + export SEC_CONFIG_FILE=./config/wazuh_indexer/config-saml.yml +fi + +case "$2" in +up) + docker compose --profile $profile -f rel.yml -p "${COMPOSE_PROJECT_NAME}" up -Vd + echo + echo "1. (Optional) Enroll an agent (Ubuntu 20.04):" + echo "docker run --name ${COMPOSE_PROJECT_NAME}-agent --network ${COMPOSE_PROJECT_NAME} --label com.docker.compose.project=${COMPOSE_PROJECT_NAME} -d ubuntu:20.04 bash -c '" + echo " apt update -y" + echo " apt install -y curl lsb-release" + echo " curl -so \wazuh-agent-${WAZUH_STACK}.deb \\" + echo " https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_${WAZUH_STACK}-1_amd64.deb \\" + echo " && WAZUH_MANAGER='wazuh.manager' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-${WAZUH_STACK}.deb" + echo + echo " /etc/init.d/wazuh-agent start" + echo " tail -f /var/ossec/logs/ossec.log" + echo "'" + echo + ;; +down) + docker compose --profile $profile -f rel.yml -p "${COMPOSE_PROJECT_NAME}" down -v --remove-orphans + ;; +stop) + docker compose --profile $profile -f rel.yml -p "${COMPOSE_PROJECT_NAME}" stop + ;; +*) + echo "Action must be either up or down" + usage + ;; +esac diff --git a/docker/wazuh-4.6/rel.yml b/docker/wazuh-4.6/rel.yml new file mode 100755 index 0000000000..fd5b1a3a08 --- /dev/null +++ b/docker/wazuh-4.6/rel.yml @@ -0,0 +1,325 @@ +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) +version: '3.9' + +# x-logging: &logging +# logging: +# driver: loki +# options: +# loki-url: 'http://host.docker.internal:3100/loki/api/v1/push' + +services: + generator: + image: cfssl/cfssl + profiles: + - 'saml' + - 'standard' + # <<: *logging + volumes: + - wi_certs:/certs/wi + - wd_certs:/certs/wd + - wm_certs:/certs/wm + - idp_certs:/certs/idp + - ./config/certs:/conf + # Included to avoid docker from creating duplicated networks + networks: + - wz-rel + entrypoint: /bin/bash + command: > + -c ' + export certs=/tmp/certs + mkdir $$certs + cd $$certs + + echo "Generating CA" + cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + + echo "Generating servers certificates" + for i in wazuh.indexer wazuh.dashboard wazuh.manager; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Generating clients certificates" + for i in admin saml filebeat; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=client - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Setting up permissions" + + rm /certs/wi/* /certs/wd/* /certs/wm/* + + mv $$certs/wazuh.indexer* /certs/wi + mv $$certs/admin* /certs/wi + mv /certs/wi/admin.key /certs/wi/admin-key.pem + cp $$certs/*ca* /certs/wi + + mv $$certs/saml* /certs/idp + mv /certs/idp/saml.key /certs/idp/saml-key.pem + cp $$certs/*ca* /certs/idp + + mv $$certs/wazuh.dashboard* /certs/wd + cp $$certs/*ca* /certs/wd + + mv $$certs/*.* /certs/wm + + chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* + chown -R 1000:1000 /certs/* + ls -alR /certs/ + + sleep 300 + ' + healthcheck: + test: ['CMD-SHELL', '[ -r /certs/wm/wazuh.manager.pem ]'] + interval: 2s + timeout: 5s + retries: 10 + + idpsec: + image: quay.io/keycloak/keycloak:19.0.1 + depends_on: + generator: + condition: service_healthy + profiles: + - 'saml' + volumes: + - wi_certs:/certs/wi + - wd_certs:/certs/wd + - wm_certs:/certs/wm + - idp_certs:/certs/idp + networks: + - wz-rel + - mon + entrypoint: /bin/bash + command: > + -c ' + # trust store + for i in /certs/idp/ca.pem /certs/wd/wazuh.dashboard.pem /certs/wi/wazuh.indexer.pem + do + keytool -import -alias $$(basename $$i .pem) -file $$i -keystore /certs/idp/truststore.jks -storepass SecretPassword -trustcacerts -noprompt + done + sleep 300 + ' + healthcheck: + test: ['CMD-SHELL', '[ -r /certs/idp/truststore.jks ]'] + interval: 2s + timeout: 5s + retries: 10 + + wazuh.manager: + depends_on: + generator: + condition: service_healthy + image: wazuh/wazuh-manager:${WAZUH_STACK} + profiles: + - 'saml' + - 'standard' + hostname: wazuh.manager + networks: + - wz-rel + - mon + # <<: *logging + environment: + - INDEXER_URL=https://wazuh.indexer:9200 + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=SecretPassword + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/wazuh/ca.pem + - SSL_CERTIFICATE=/etc/ssl/wazuh/filebeat.pem + - SSL_KEY=/etc/ssl/wazuh/filebeat.key + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - wazuh_api_configuration:/var/ossec/api/configuration + - wazuh_etc:/var/ossec/etc + - wazuh_logs:/var/ossec/logs + - wazuh_queue:/var/ossec/queue + - wazuh_var_multigroups:/var/ossec/var/multigroups + - wazuh_integrations:/var/ossec/integrations + - wazuh_active_response:/var/ossec/active-response/bin + - wazuh_agentless:/var/ossec/agentless + - wazuh_wodles:/var/ossec/wodles + - filebeat_etc:/etc/filebeat + - filebeat_var:/var/lib/filebeat + - wm_certs:/etc/ssl/wazuh + - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf + + wazuh.indexer: + depends_on: + generator: + condition: service_healthy + idpsetup: + condition: service_completed_successfully + required: false + image: wazuh/wazuh-indexer:${WAZUH_STACK} + profiles: + - 'saml' + - 'standard' + hostname: wazuh.indexer + networks: + - wz-rel + - mon + # <<: *logging + environment: + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' + - 'OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config' + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - wazuh-indexer-data:/var/lib/wazuh-indexer + - wi_certs:/usr/share/wazuh-indexer/certs/ + - idp_certs:/usr/share/wazuh-indexer/idp/ + - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml + - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml + - ${SEC_CONFIG_FILE}:/usr/share/wazuh-indexer/opensearch-security/config.yml + - ./config/wazuh_indexer/roles.yml:/usr/share/wazuh-indexer/opensearch-security/roles.yml + - ./config/wazuh_indexer/roles_mapping.yml:/usr/share/wazuh-indexer/opensearch-security/roles_mapping.yml + healthcheck: + test: + [ + 'CMD-SHELL', + '/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security', + ] + interval: 10s + timeout: 10s + retries: 120 + + wazuh.dashboard: + image: wazuh/wazuh-dashboard:${WAZUH_STACK} + profiles: + - 'saml' + - 'standard' + hostname: wazuh.dashboard + depends_on: + wazuh.indexer: + condition: service_healthy + networks: + - wz-rel + - mon + # <<: *logging + ports: + - ${KIBANA_PORT}:5601 + environment: + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=SecretPassword + - WAZUH_API_URL=https://wazuh.manager + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - wd_certs:/usr/share/wazuh-dashboard/certs + - ${WAZUH_DASHBOARD_CONF}:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml + - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml + + exporter: + image: quay.io/prometheuscommunity/elasticsearch-exporter:latest + profiles: + - 'saml' + - 'standard' + # <<: *logging + hostname: 'exporter' + networks: + - wz-rel + - mon + command: + - '--es.uri=https://admin:${KIBANA_PASSWORD}@wazuh-indexer:9200' + - '--es.ssl-skip-verify' + - '--es.all' + + idp: + image: quay.io/keycloak/keycloak:19.0.1 + depends_on: + idpsec: + condition: service_healthy + profiles: + - 'saml' + hostname: idp + # <<: *logging + networks: + - wz-rel + - mon + ports: + - '8080:8080' + environment: + - KEYCLOAK_ADMIN=admin + - KEYCLOAK_ADMIN_PASSWORD=admin + - KC_SPI_TRUSTSTORE_FILE_PASSWORD=SecretPassword + - KC_SPI_TRUSTSTORE_FILE_FILE=/certs/truststore.jks + volumes: + - keycloak-data:/var/lib/keycloak/data + - idp_certs:/certs + command: start-dev + healthcheck: + test: curl -f http://idp:8080/realms/master || exit 1 + interval: 10s + timeout: 5s + retries: 6 + + idpsetup: + image: badouralix/curl-jq + depends_on: + idp: + condition: service_healthy + profiles: + - 'saml' + hostname: idpsetup + # <<: *logging + networks: + - wz-rel + - mon + volumes: + - wi_certs:/certs/wi + - ./enable_saml.sh:/enable_saml.sh + entrypoint: /bin/sh + command: > + -c ' + apk add bash + bash /enable_saml.sh + exit 0 + ' + +networks: + wz-rel: + name: ${COMPOSE_PROJECT_NAME} + driver: bridge + mon: + external: true + +volumes: + wi_certs: + wd_certs: + wm_certs: + idp_certs: + wazuh_api_configuration: + wazuh_etc: + wazuh_logs: + wazuh_queue: + wazuh_var_multigroups: + wazuh_integrations: + wazuh_active_response: + wazuh_agentless: + wazuh_wodles: + filebeat_etc: + filebeat_var: + wazuh-indexer-data: + keycloak-data: diff --git a/docker/wazuh-4.7/README.md b/docker/wazuh-4.7/README.md new file mode 100644 index 0000000000..20d90784da --- /dev/null +++ b/docker/wazuh-4.7/README.md @@ -0,0 +1,142 @@ +# Wazuh Stack 4.7.x + +On this folder, we can find two types of environments: + +- release environment, managed by the `rel.sh` script +- prerelease environment managed by the `pre.sh` script + +### UI Credentials + +The default user and password to access the UI at https://0.0.0.0:5601/ are: + +``` +admin:SecretPassword +``` + +## Release environment + +This environment will start a working deployment with: + +- Wazuh Manager +- Wazuh Indexer +- Wazuh Dashboard + +Check the scripts for a list of the supported Wazuh versions. + +The environment expect the network `mon` to exists, either bring up the +`mon` stack or execute the following command: + +```bash +docker network create mon +``` + +The images used here are generated by the CI/CD team and uploaded into +the official Docker Hub organization. No Wazuh Agent image is provided yet, +so you'll need to deploy an agent in Docker manually, by following the +instructions below. + +### Image certificates + +Certificates are created automatically by the docker-compose, but if +it fails to create them with the appropriate permissions, we might need +to adjust them. + +This is related to the way the official Wazuh docker images are +prepared. + +### Registering agents using Docker + +To register an agent, we need to get the enrollment command from the +UI and then execute: + +- For `CentOS/8` images: + + ```bash + docker run --name wz-rel-agent-4.7.0 --rm --network wz-rel-450 --label com.docker.compose.project=wz-rel-450 -d centos:8 bash -c ' + sed -i -e "s|mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* + sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* + + # Change this command by the one the UI suggests. Add the -y flag and remove the `sudo`. + WAZUH_MANAGER='wazuh.manager' yum install -y https://packages.wazuh.com/4.x/yum5/x86_64/wazuh-agent-4.7.0-1.el5.x86_64.rpm + + /etc/init.d/wazuh-agent start + tail -f /var/ossec/logs/ossec.log + ' + ``` + +- For `Ubuntu` images + + ```bash + docker run --name wz-rel-agent-4.7.0 --network wz-rel-450 --label com.docker.compose.project=wz-rel-450 -d ubuntu:20.04 bash -c ' + apt update -y + apt install -y curl lsb-release + + # Change this command by the one the UI suggests to use. Remove the `sudo`. + curl -so wazuh-agent-4.7.0.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb && WAZUH_MANAGER='wazuh.manager' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.7.0.deb + + /etc/init.d/wazuh-agent start + tail -f /var/ossec/logs/ossec.log + ' + ``` + +- For `non-Linux` agents: + + We need to provision virtual machines. + +## Prerelease environment + +The prerelease environment helps us test app releases while the rest of +Wazuh packages haven't been generated yet. + +This environment will bring up: + +- Wazuh Indexer +- Wazuh Dashboard +- Filebeat +- Imposter + +### Usage + +The way to use this environment is to bring up a published Wazuh version to +later on upgrade the app with our pre-release package. + +While bring up the environment with the `pre.sh` script, specify the published +version of Wazuh with the `wazuh_version` argument, the new patch version of +Wazuh with `wazuh_api_version` and finally follow the steps provided by the +scripts. + +Example: test a package for Wazuh 4.7.0 + +```bash +./pre.sh 4.7.0 0 up +``` + +```bash +./pre.sh wazuh_version wazuh_api_version action + +where + wazuh_version is one of + wazuh_api_version is the minor version of wazuh 4.7, for example 5 17 + action is one of up | down + +In a minor release, the API should not change the version here bumps the API + string returned for testing. This script generates the file + + config/imposter/api_info.json + +used by the mock server +``` + +Please take into account that the API version for this environment will +always be a 4.7.x version. Also consider that our application version +must be the same as the one selected here. + +### App upgrade + +Follow the instructions provided by the `pre.sh` script. + +### Agent enrollment + +Because we're not using a real Wazuh Manager, we cannot register new agents. +Instead, Imposter (the mock server) will provide mocked responds to valid API +requests, as if it were the real Wazuh server. diff --git a/docker/wazuh-4.7/config/certs/ca.json b/docker/wazuh-4.7/config/certs/ca.json new file mode 100644 index 0000000000..8a96a70a42 --- /dev/null +++ b/docker/wazuh-4.7/config/certs/ca.json @@ -0,0 +1,15 @@ +{ + "CN": "Wazuh", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "San Francisco", + "O": "Wazuh", + "OU": "Wazuh Root CA" + } + ] +} diff --git a/docker/wazuh-4.7/config/certs/cfssl.json b/docker/wazuh-4.7/config/certs/cfssl.json new file mode 100644 index 0000000000..d23daf7621 --- /dev/null +++ b/docker/wazuh-4.7/config/certs/cfssl.json @@ -0,0 +1,58 @@ +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "intermediate_ca": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "cert sign", + "crl sign", + "server auth", + "client auth" + ], + "expiry": "8760h", + "ca_constraint": { + "is_ca": true, + "max_path_len": 0, + "max_path_len_zero": true + } + }, + "peer": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth", + "server auth" + ], + "expiry": "8760h" + }, + "server": { + "usages": [ + "signing", + "digital signing", + "key encipherment", + "data encipherment", + "server auth" + ], + "expiry": "8760h" + }, + "client": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth" + ], + "expiry": "8760h" + } + } + } +} + diff --git a/docker/wazuh-4.7/config/certs/host.json b/docker/wazuh-4.7/config/certs/host.json new file mode 100644 index 0000000000..27805da58e --- /dev/null +++ b/docker/wazuh-4.7/config/certs/host.json @@ -0,0 +1,19 @@ +{ + "CN": "HOST", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "California", + "O": "Wazuh", + "OU": "Wazuh" + } + ], + "hosts": [ + "HOST", + "localhost" + ] +} diff --git a/docker/wazuh-4.7/config/filebeat/filebeat.yml b/docker/wazuh-4.7/config/filebeat/filebeat.yml new file mode 100644 index 0000000000..e22b1f97ca --- /dev/null +++ b/docker/wazuh-4.7/config/filebeat/filebeat.yml @@ -0,0 +1,22 @@ + +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false + +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.template.overwrite: true +setup.ilm.enabled: false +output.elasticsearch: + hosts: ['https://wazuh.indexer:9200'] + username: 'admin' + password: 'SecretPassword' + ssl.verification_mode: full + ssl.certificate_authorities: ['/etc/ssl/wazuh/ca.pem'] + ssl.certificate: '/etc/ssl/wazuh/filebeat.pem' + ssl.key: '/etc/ssl/wazuh/filebeat-key.pem' diff --git a/docker/wazuh-4.7/config/imposter/api_info.json b/docker/wazuh-4.7/config/imposter/api_info.json new file mode 100644 index 0000000000..6bd2244ded --- /dev/null +++ b/docker/wazuh-4.7/config/imposter/api_info.json @@ -0,0 +1,12 @@ +{ + "data": { + "title": "Wazuh API REST", + "api_version": "4.7.0", + "revision": 40316, + "license_name": "GPL 2.0", + "license_url": "https://github.com/wazuh/wazuh/blob/4.7/LICENSE", + "hostname": "imposter", + "timestamp": "2022-06-13T17:20:03Z" + }, + "error": 0 +} diff --git a/docker/wazuh-4.7/config/imposter/login.js b/docker/wazuh-4.7/config/imposter/login.js new file mode 100755 index 0000000000..86c2eb4180 --- /dev/null +++ b/docker/wazuh-4.7/config/imposter/login.js @@ -0,0 +1,42 @@ +exports = {}; + +load('https://raw.githubusercontent.com/kjur/jsrsasign/master/npm/lib/jsrsasign.js', exports); +header = { + "alg": "HS256", + "typ": "JWT", + "kid": "vpaas-magic-cookie-1fc542a3e4414a44b2611668195e2bfe/4f4910" +}; + +// The second part of the token is the payload, which contains the claims. +// Claims are statements about an entity (typically, the user) and +// additional data. There are three types of claims: +// registered, public, and private claims. +nbf = Date.now()-1000; + +claims = { + "iss": "wazuh", + "aud": "Wazuh API REST", + "nbf": nbf, + "exp": nbf+3600000, + "sub": "wazuh", + "rbac_roles": [ + 1 + ], + "rbac_mode": "white" +}; + + +jwt = KJUR.jws.JWS.sign("HS256", JSON.stringify(header), JSON.stringify(claims), "616161"); + +resp = { + "data": { + "token": jwt, + "error": 0 + } +}; + +respond() + .withStatusCode(200) + .withData(JSON.stringify(resp)); + + diff --git a/docker/wazuh-4.7/config/imposter/wazuh-config.yml b/docker/wazuh-4.7/config/imposter/wazuh-config.yml new file mode 100755 index 0000000000..ace39bf4a0 --- /dev/null +++ b/docker/wazuh-4.7/config/imposter/wazuh-config.yml @@ -0,0 +1,16 @@ +--- +plugin: openapi +specFile: https://raw.githubusercontent.com/wazuh/wazuh/v4.4.0/api/api/spec/spec.yaml + +resources: + - path: /security/user/authenticate + method: POST + response: + statusCode: 200 + scriptFile: login.js + - path: / + method: get + response: + statusCode: 200 + staticFile: api_info.json + diff --git a/docker/wazuh-4.7/config/wazuh_cluster/wazuh_manager.conf b/docker/wazuh-4.7/config/wazuh_cluster/wazuh_manager.conf new file mode 100755 index 0000000000..aff1af9d6c --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_cluster/wazuh_manager.conf @@ -0,0 +1,353 @@ + + + yes + yes + no + no + no + smtp.example.wazuh.com + wazuh@example.wazuh.com + recipient@example.wazuh.com + 12 + alerts.log + 10m + 0 + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + etc/rootcheck/rootkit_files.txt + etc/rootcheck/rootkit_trojans.txt + + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + 10 + + + + + yes + yes + 12h + yes + + + + no + 5m + 6h + yes + + + + no + trusty + xenial + bionic + focal + 1h + + + + + no + stretch + buster + bullseye + 1h + + + + + no + 5 + 6 + 7 + 8 + 1h + + + + + no + amazon-linux + amazon-linux-2 + 1h + + + + + no + 1h + + + + + yes + 1h + + + + + yes + 2010 + 1h + + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + .log$|.swp$ + + + /etc/ssl/private.key + + yes + yes + yes + yes + + + 10 + + + 100 + + + + yes + 5m + 1h + 10 + + + + + + 127.0.0.1 + ^localhost.localdomain$ + 10.0.0.106 + + + + disable-account + disable-account + yes + + + + restart-wazuh + restart-wazuh + + + + firewall-drop + firewall-drop + yes + + + + host-deny + host-deny + yes + + + + route-null + route-null + yes + + + + win_route-null + route-null.exe + yes + + + + netsh + netsh.exe + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + + yes + 1 + 64 + 15m + + + + + no + 1515 + no + yes + no + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + etc/sslmanager.cert + etc/sslmanager.key + no + + + + wazuh + node01 + master + + 1516 + 0.0.0.0 + + NODE_IP + + no + yes + + + + + + + syslog + /var/ossec/logs/active-responses.log + + + diff --git a/docker/wazuh-4.7/config/wazuh_dashboard/wazuh.yml b/docker/wazuh-4.7/config/wazuh_dashboard/wazuh.yml new file mode 100755 index 0000000000..dca5610652 --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_dashboard/wazuh.yml @@ -0,0 +1,14 @@ +hosts: + - imposter: + url: "http://imposter" + port: 8080 + username: wazuh-wui + password: MyS3cr37P450r.*- + run_as: false + + - 1513629884013: + url: https://wazuh.manager + port: 55000 + username: wazuh-wui + password: MyS3cr37P450r.*- + run_as: false diff --git a/docker/wazuh-4.7/config/wazuh_dashboard/wazuh_dashboard.yml b/docker/wazuh-4.7/config/wazuh_dashboard/wazuh_dashboard.yml new file mode 100755 index 0000000000..741fa3c019 --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_dashboard/wazuh_dashboard.yml @@ -0,0 +1,15 @@ +server.host: 0.0.0.0 +server.port: 5601 +opensearch.hosts: https://wazuh.indexer:9200 +opensearch.ssl.verificationMode: certificate +opensearch.requestHeadersAllowlist: ['securitytenant', 'Authorization'] +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ['kibana_read_only'] +server.ssl.enabled: true +server.ssl.key: '/usr/share/wazuh-dashboard/certs/wazuh.dashboard.key' +server.ssl.certificate: '/usr/share/wazuh-dashboard/certs/wazuh.dashboard.pem' +opensearch.ssl.certificateAuthorities: + ['/usr/share/wazuh-dashboard/certs/ca.pem'] +uiSettings.overrides.defaultRoute: /app/wazuh +opensearch.username: 'kibanaserver' +opensearch.password: 'kibanaserver' diff --git a/docker/wazuh-4.7/config/wazuh_dashboard/wazuh_dashboard_saml.yml b/docker/wazuh-4.7/config/wazuh_dashboard/wazuh_dashboard_saml.yml new file mode 100755 index 0000000000..ce5d198300 --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_dashboard/wazuh_dashboard_saml.yml @@ -0,0 +1,16 @@ +server.host: 0.0.0.0 +server.port: 5601 +opensearch.hosts: https://wazuh.indexer:9200 +opensearch.ssl.verificationMode: certificate +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh.dashboard.key" +server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh.dashboard.pem" +opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/ca.pem"] +uiSettings.overrides.defaultRoute: /app/wazuh +opensearch.username: "kibanaserver" +opensearch.password: "kibanaserver" +opensearch_security.auth.type: "saml" +server.xsrf.whitelist: [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout] diff --git a/docker/wazuh-4.7/config/wazuh_indexer/config-saml.yml b/docker/wazuh-4.7/config/wazuh_indexer/config-saml.yml new file mode 100644 index 0000000000..74fc91c8c4 --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_indexer/config-saml.yml @@ -0,0 +1,40 @@ +--- +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + http: + anonymous_auth_enabled: false + authc: + internal_auth: + order: 0 + description: "HTTP basic authentication using the internal user database" + http_enabled: true + transport_enabled: true + http_authenticator: + type: basic + challenge: false + authentication_backend: + type: internal + saml_auth: + order: 1 + description: "Keycloack SAML provider" + http_enabled: true + transport_enabled: false + http_authenticator: + type: saml + challenge: true + config: + idp: + metadata_url: http://idp:8080/realms/wazuh/protocol/saml/descriptor + entity_id: http://idp:8080/realms/wazuh + sp: + entity_id: wazuh + signature_private_key_filepath: "certs/admin-key.pem" + kibana_url: https://localhost:5601 + roles_key: Role + exchange_key: 1a2a3a4a5a6a7a8a9a0a1b2b3b4b5b6b + authentication_backend: + type: noop diff --git a/docker/wazuh-4.7/config/wazuh_indexer/config.yml b/docker/wazuh-4.7/config/wazuh_indexer/config.yml new file mode 100644 index 0000000000..74fc91c8c4 --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_indexer/config.yml @@ -0,0 +1,40 @@ +--- +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + http: + anonymous_auth_enabled: false + authc: + internal_auth: + order: 0 + description: "HTTP basic authentication using the internal user database" + http_enabled: true + transport_enabled: true + http_authenticator: + type: basic + challenge: false + authentication_backend: + type: internal + saml_auth: + order: 1 + description: "Keycloack SAML provider" + http_enabled: true + transport_enabled: false + http_authenticator: + type: saml + challenge: true + config: + idp: + metadata_url: http://idp:8080/realms/wazuh/protocol/saml/descriptor + entity_id: http://idp:8080/realms/wazuh + sp: + entity_id: wazuh + signature_private_key_filepath: "certs/admin-key.pem" + kibana_url: https://localhost:5601 + roles_key: Role + exchange_key: 1a2a3a4a5a6a7a8a9a0a1b2b3b4b5b6b + authentication_backend: + type: noop diff --git a/docker/wazuh-4.7/config/wazuh_indexer/internal_users.yml b/docker/wazuh-4.7/config/wazuh_indexer/internal_users.yml new file mode 100755 index 0000000000..d9f05b343b --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_indexer/internal_users.yml @@ -0,0 +1,56 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" diff --git a/docker/wazuh-4.7/config/wazuh_indexer/opensearch.yml b/docker/wazuh-4.7/config/wazuh_indexer/opensearch.yml new file mode 100644 index 0000000000..ee1dbf59d5 --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_indexer/opensearch.yml @@ -0,0 +1,42 @@ +network.host: "0.0.0.0" +node.name: "os1" +path.data: /var/lib/os1 +path.logs: /var/log/os1 +# comment compatibility.override_main_response_version for 2.0.0 +compatibility.override_main_response_version: true +plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/os1.pem +plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/os1.key +plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/ca.pem +plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/os1.pem +plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/os1.key +plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.authcz.admin_dn: + - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: + - "CN=os1,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: + - "all_access" + - "security_rest_api_access" +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opensearch-observability", + ".opendistro-asynchronous-search-response*", + ".replication-metadata-store", + ] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false diff --git a/docker/wazuh-4.7/config/wazuh_indexer/roles.yml b/docker/wazuh-4.7/config/wazuh_indexer/roles.yml new file mode 100644 index 0000000000..5b35df448b --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_indexer/roles.yml @@ -0,0 +1,149 @@ +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on kibana +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + +# Allows users to view monitors, destinations and alerts +alerting_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/alerting/alerts/get" + - "cluster:admin/opendistro/alerting/destination/get" + - "cluster:admin/opendistro/alerting/monitor/get" + - "cluster:admin/opendistro/alerting/monitor/search" + +# Allows users to view and acknowledge alerts +alerting_ack_alerts: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/alerting/alerts/*" + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + cluster_permissions: + - "cluster_monitor" + - "cluster:admin/opendistro/alerting/*" + index_permissions: + - index_patterns: + - "*" + allowed_actions: + - "indices_monitor" + - "indices:admin/aliases/get" + - "indices:admin/mappings/get" + +# Allow users to read Anomaly Detection detectors and results +anomaly_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ad/detector/info" + - "cluster:admin/opendistro/ad/detector/search" + - "cluster:admin/opendistro/ad/detectors/get" + - "cluster:admin/opendistro/ad/result/search" + - "cluster:admin/opendistro/ad/tasks/search" + +# Allows users to use all Anomaly Detection functionality +anomaly_full_access: + reserved: true + cluster_permissions: + - "cluster_monitor" + - "cluster:admin/opendistro/ad/*" + index_permissions: + - index_patterns: + - "*" + allowed_actions: + - "indices_monitor" + - "indices:admin/aliases/get" + - "indices:admin/mappings/get" + +# Allows users to read Notebooks +notebooks_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/notebooks/list" + - "cluster:admin/opendistro/notebooks/get" + +# Allows users to all Notebooks functionality +notebooks_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/notebooks/create" + - "cluster:admin/opendistro/notebooks/update" + - "cluster:admin/opendistro/notebooks/delete" + - "cluster:admin/opendistro/notebooks/get" + - "cluster:admin/opendistro/notebooks/list" + +# Allows users to read and download Reports +reports_instances_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/reports/instance/list" + - "cluster:admin/opendistro/reports/instance/get" + - "cluster:admin/opendistro/reports/menu/download" + +# Allows users to read and download Reports and Report-definitions +reports_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/reports/definition/get" + - "cluster:admin/opendistro/reports/definition/list" + - "cluster:admin/opendistro/reports/instance/list" + - "cluster:admin/opendistro/reports/instance/get" + - "cluster:admin/opendistro/reports/menu/download" + +# Allows users to all Reports functionality +reports_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/reports/definition/create" + - "cluster:admin/opendistro/reports/definition/update" + - "cluster:admin/opendistro/reports/definition/on_demand" + - "cluster:admin/opendistro/reports/definition/delete" + - "cluster:admin/opendistro/reports/definition/get" + - "cluster:admin/opendistro/reports/definition/list" + - "cluster:admin/opendistro/reports/instance/list" + - "cluster:admin/opendistro/reports/instance/get" + - "cluster:admin/opendistro/reports/menu/download" + +# Allows users to use all asynchronous-search functionality +asynchronous_search_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/asynchronous_search/*" + index_permissions: + - index_patterns: + - "*" + allowed_actions: + - "indices:data/read/search*" + +# Allows users to read stored asynchronous-search results +asynchronous_search_read_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/asynchronous_search/get" + +# Wazuh monitoring and statistics index permissions +manage_wazuh_index: + reserved: true + hidden: false + cluster_permissions: [] + index_permissions: + - index_patterns: + - "wazuh-*" + dls: "" + fls: [] + masked_fields: [] + allowed_actions: + - "read" + - "delete" + - "manage" + - "index" + tenant_permissions: [] + static: false diff --git a/docker/wazuh-4.7/config/wazuh_indexer/roles_mapping.yml b/docker/wazuh-4.7/config/wazuh_indexer/roles_mapping.yml new file mode 100644 index 0000000000..94c2b46613 --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_indexer/roles_mapping.yml @@ -0,0 +1,88 @@ +--- +# In this file users, backendroles and hosts can be mapped to Open Distro Security roles. +# Permissions for Opendistro roles are configured in roles.yml + +_meta: + type: "rolesmapping" + config_version: 2 + +# Define your roles mapping here + +## Default roles mapping + +all_access: + reserved: true + hidden: false + backend_roles: + - "admin" + hosts: [] + users: [] + and_backend_roles: [] + description: "Maps admin to all_access" + +own_index: + reserved: false + hidden: false + backend_roles: [] + hosts: [] + users: + - "*" + and_backend_roles: [] + description: "Allow full access to an index named like the username" + +logstash: + reserved: false + hidden: false + backend_roles: + - "logstash" + hosts: [] + users: [] + and_backend_roles: [] + +readall: + reserved: true + hidden: false + backend_roles: + - "readall" + hosts: [] + users: [] + and_backend_roles: [] + +manage_snapshots: + reserved: true + hidden: false + backend_roles: + - "snapshotrestore" + hosts: [] + users: [] + and_backend_roles: [] + +kibana_server: + reserved: true + hidden: false + backend_roles: [] + hosts: [] + users: + - "kibanaserver" + and_backend_roles: [] + +kibana_user: + reserved: false + hidden: false + backend_roles: + - "kibanauser" + hosts: [] + users: [] + and_backend_roles: [] + description: "Maps kibanauser to kibana_user" + + # Wazuh monitoring and statistics index permissions +manage_wazuh_index: + reserved: true + hidden: false + backend_roles: [] + hosts: [] + users: + - "kibanaserver" + - "admin" + and_backend_roles: [] diff --git a/docker/wazuh-4.7/config/wazuh_indexer/wazuh.indexer.yml b/docker/wazuh-4.7/config/wazuh_indexer/wazuh.indexer.yml new file mode 100755 index 0000000000..3b31ac37d0 --- /dev/null +++ b/docker/wazuh-4.7/config/wazuh_indexer/wazuh.indexer.yml @@ -0,0 +1,28 @@ +network.host: "0.0.0.0" +node.name: "wazuh.indexer" +path.data: /var/lib/wazuh-indexer +path.logs: /var/log/wazuh-indexer +discovery.type: single-node +compatibility.override_main_response_version: true +plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem +plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key +plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/ca.pem +plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem +plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key +plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +- "CN=os1,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false \ No newline at end of file diff --git a/docker/wazuh-4.7/enable_saml.sh b/docker/wazuh-4.7/enable_saml.sh new file mode 100755 index 0000000000..41d3fb8a22 --- /dev/null +++ b/docker/wazuh-4.7/enable_saml.sh @@ -0,0 +1,165 @@ +#!/bin/bash + +# idp container launches and docker-compose returns too quickly, do not wait for container to +# be healthy as it has no dependencies, so we wait before continuing +sleep 7 + + +indexer="$1-wazuh.indexer-1" +dashboard="$1-wazuh.dashboard-1" + +# Setup keycloack to be used with wazuh-dashboards + +# Connection +U="admin" +P="admin" +B="http://idp:8080" + +# Realm +REALM="master" + +# Get ACCESS_TOKEN from default install +ACCESS_TOKEN=$(curl -sS \ + -d 'client_id=admin-cli' \ + -d 'username=admin' \ + -d 'password=admin' \ + -d 'grant_type=password' \ + "${B}/realms/master/protocol/openid-connect/token" | jq -r '.access_token') + +H=('-H' 'Content-Type: application/json' '-H' "Authorization: Bearer $ACCESS_TOKEN") + +# Create new REALM +REALM="wazuh" +P='{ + "id": "wazuh", + "realm": "wazuh", + "enabled": true +}' + +curl -sS -L -X POST "${B}/admin/realms" "${H[@]}" -d "$P" | grep -v "Conflict detected" + + +# Add admin certificates to keycloak as these are used by indexer to sign saml +# messages. These should be uploaded to keycloak if we want it to verify indexer messages. +key=$(cat /certs/wi/admin-key.pem | grep -v "PRIVATE KEY" | tr -d "\n") +cert=$(cat /certs/wi/admin.pem | grep -v CERTIFICATE | tr -d "\n") + + +# Create client +# By default the client does not verify the client signature on saml messages +# but it could be enabled for testing purposes +PC="{ + \"protocol\": \"saml\", + \"name\": \"wazuh\", + \"clientId\": \"wazuh\", + \"description\": \"wazuh saml integration\", + \"baseUrl\": \"https://localhost:5601\", + \"rootUrl\": \"https://localhost:5601\", + \"redirectUris\": [\"https://localhost:5601/*\"], + \"attributes\" : { + \"saml_single_logout_service_url_redirect\": \"https://localhost:5601/_opendistro/_security/saml/logout\", + \"saml_assertion_consumer_url_post\": \"https://localhost:5601/_opendistro/_security/saml/acs/idpinitiated\", + \"saml_single_logout_service_url_post\": \"https://wazuh.dashboard:5601/_opendistro/_security/saml/logout\", + \"saml.force.post.binding\": \"false\", + \"saml.signing.certificate\": \"$cert\", + \"saml.signing.private.key\": \"$key\", + \"saml.client.signature\": \"true\", + \"saml_single_logout_service_url_redirect\": \"https://localhost:5601\", + \"post.logout.redirect.uris\": \"https://localhost:5601*\" + } +}" + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/clients" "${H[@]}" -d "$PC" | grep -v "Client wazuh already exists" + +# Get a client json representation +CLIENT=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/clients" "${H[@]}" -G -d 'clientId=wazuh' |jq '.[] | select(.clientId=="wazuh")') + +# Get client id +CID=$(echo $CLIENT | jq -r '.id' ) + +# Generate all-access and admin role for the realm +PR1='{ + "name":"all-access" +}' + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/roles" "${H[@]}" -d "$PR1" | grep -v "Role with name all-access already exists" + +PR2='{ + "name":"admin" +}' + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/roles" "${H[@]}" -d "$PR2" | grep -v "Role with name admin already exists" + + +## create new user +PU='{ + "username": "wazuh", + "email": "hello@wazuh.com", + "firstName": "Wazuh", + "lastName": "Wazuh", + "emailVerified": true, + "enabled": true, + "credentials": [{"temporary":false,"type":"password","value":"wazuh"}], + "realmRoles": ["admin", "all-access"] +}' + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/users" "${H[@]}" -d "$PU" | grep -v "User exists with same username" + +## Get a user json representation +USER=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/users" "${H[@]}" -G -d 'username=wazuh' |jq '.[] | select(.username=="wazuh")') + +### Get user id +USERID=$(echo $USER | jq -r '.id' ) + +# Get roles +ROLES=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/roles" "${H[@]}" -d "$PR2" ) + +## Assign role +ADMINID=$(echo $ROLES | jq -r '.[] | select(.name=="admin").id') +ALLACCESSID=$(echo $ROLES | jq -r '.[] | select(.name=="all-access").id') + +PA1="[ + { + \"id\": \"$ADMINID\", + \"name\": \"admin\", + \"composite\": false, + \"clientRole\": false, + \"containerId\": \"wazuh\" + }, + { + \"id\": \"$ALLACCESSID\", + \"name\": \"all-access\", + \"description\": \"\", + \"composite\": false, + \"clientRole\": false, + \"containerId\": \"wazuh\" + } +]" + +curl -sS -L -X POST "${B}/admin/realms/${REALM}/users/${USERID}/role-mappings/realm" "${H[@]}" -d "$PA1" + +# Get list of client scopes +CSCOPES=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/client-scopes" "${H[@]}") +CSID=$(echo $CSCOPES | jq -r '.[] | select(.name=="role_list").id ') +CSR=$(echo $CSCOPES | jq -r '.[] | select(.name=="role_list") ') + + +# Set single to true, so opensearch works +UPDATE=$(echo $CSR | jq '.protocolMappers[] | select(.name=="role list").config.single |= "true" ') +PMID=$(echo $CSR | jq -r '.protocolMappers[] | select(.name=="role list").id') + +curl -sS -L -X PUT "${B}/admin/realms/${REALM}/client-scopes/$CSID/protocol-mappers/models/$PMID" "${H[@]}" -d "$UPDATE" + +# Set up auth realm on opensearch +certs="/usr/share/wazuh-indexer/certs" +ca="$certs/ca.pem" +cert="$certs/admin.pem" +key="$certs/admin-key.pem" + +securityadmin="bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh" +config_path="/usr/share/wazuh-indexer/opensearch-security/" + +echo "To update configuration in indexer, you can run:" +echo docker exec -e JAVA_HOME=/usr/share/wazuh-indexer/jdk $indexer $securityadmin -cacert $ca -cert $cert -key $key -cd $config_path + + diff --git a/docker/wazuh-4.7/pre.sh b/docker/wazuh-4.7/pre.sh new file mode 100755 index 0000000000..a3baf6bffe --- /dev/null +++ b/docker/wazuh-4.7/pre.sh @@ -0,0 +1,111 @@ +#!/usr/bin/env bash + +versions=( + "4.7.0" + "4.7.1" + "4.7.2" +) + +wazuh_api_version=( + "0" +) + +usage() { + echo + echo "./pre.sh wazuh_version wazuh_api_version action " + echo + echo "where" + echo " wazuh_version is one of ${versions[*]}" + echo " wazuh_api_version is the patch version of wazuh 4.7, for example " ${wazuh_api_version[*]} + echo " action is one of up | down | stop" + echo + echo "In a minor release, the API should not change the version here bumps the API" + echo " string returned for testing. This script generates the file " + echo + echo " config/imposter/api_info.json" + echo + echo "used by the mock server" + exit -1 +} + +if [ $# -ne 3 ]; then + echo "Incorrect number of arguments " $# + usage +fi + +if [[ ! " ${versions[*]} " =~ " ${1} " ]]; then + echo "Version ${1} not found in ${versions[*]}" + exit -1 +fi + +[ -n "$2" ] && [ "$2" -eq "$2" ] 2>/dev/null +if [ $? -ne 0 ]; then + echo "$2 is not number" + exit -1 +fi + +patch_version=$2 +cat <config/imposter/api_info.json +{ + "data": { + "title": "Wazuh API REST", + "api_version": "4.7.${patch_version}", + "revision": 40316, + "license_name": "GPL 2.0", + "license_url": "https://github.com/wazuh/wazuh/blob/4.7/LICENSE", + "hostname": "imposter", + "timestamp": "2022-06-13T17:20:03Z" + }, + "error": 0 +} +EOF + +export WAZUH_STACK=${1} +export KIBANA_PORT=5601 +export KIBANA_PASSWORD=${PASSWORD:-SecretPassword} +export COMPOSE_PROJECT_NAME=wz-pre-${WAZUH_STACK//./} + +case "$3" in +up) + # recreate volumes + docker compose -f pre.yml up -Vd + + # This installs Wazuh and integrates with a default Wazuh stack + # v=$( echo -n $WAZUH_STACK | sed 's/\.//g' ) + echo + echo "Install the pre-release package manually with:" + echo + echo "1. Uninstall current version of the Wazuh app:" + echo "docker exec -ti ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1 /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin remove wazuh" + echo + echo "2. Restart Wazuh Dashboard:" + echo "docker restart ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1" + echo + echo "3. Copy the pre-release package to the running Wazuh Dashboard container:" + echo docker cp wazuh-4.7.${patch_version}-1.zip ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1:/tmp + echo + echo "4. Install the package we have just uploaded:" + echo "docker exec -ti ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1 /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin install file:///tmp/wazuh-4.7.${patch_version}-1.zip" + echo + echo "5. Restart the Wazuh Dashboard container:" + echo "docker restart ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1" + echo + echo "6. Upload the Wazuh app configuration:" + echo "docker cp ./config/wazuh_dashboard/wazuh.yml ${COMPOSE_PROJECT_NAME}-wazuh.dashboard-1:/usr/share/wazuh-dashboard/data/wazuh/config/" + echo + echo "7. Access the running instance in:" + echo "https://localhost:${KIBANA_PORT}" + echo + ;; +down) + # delete volumes + docker compose -f pre.yml down -v --remove-orphans + ;; +stop) + docker compose -f rel.yml -p "${COMPOSE_PROJECT_NAME}" stop + ;; +*) + echo "Action must be either up or down" + usage + ;; +esac diff --git a/docker/wazuh-4.7/pre.yml b/docker/wazuh-4.7/pre.yml new file mode 100755 index 0000000000..7f22362cd1 --- /dev/null +++ b/docker/wazuh-4.7/pre.yml @@ -0,0 +1,212 @@ +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) +version: '3.9' + +# x-logging: &logging +# logging: +# driver: loki +# options: +# loki-url: "http://host.docker.internal:3100/loki/api/v1/push" + +services: + exporter: + image: quay.io/prometheuscommunity/elasticsearch-exporter:latest + # <<: *logging + hostname: 'exporter-kbn-${WAZUH_STACK}' + networks: + - wzd-pre + - mon + command: + - '--es.uri=https://admin:${KIBANA_PASSWORD}@wazuh.indexer:9200' + - '--es.ssl-skip-verify' + - '--es.all' + + imposter: + image: outofcoffee/imposter + hostname: 'imposter-kbn-${WAZUH_STACK}' + networks: + - wzd-pre + - mon + # <<: *logging + environment: + - JAVA_OPTS="-Xmx512m -Xss512k -Dfile.encoding=UTF-8 -XX:MaxRAM=800m -XX:MaxRAMPercentage=95 -XX:MinRAMPercentage=60A" + - MALLOC_ARENA_MAX=1 + volumes: + - ./config/imposter:/opt/imposter/config + + generator: + image: cfssl/cfssl + volumes: + - wi_certs:/certs/wi + - wd_certs:/certs/wd + - wm_certs:/certs/wm + - ./config/certs:/conf + entrypoint: /bin/bash + command: > + -c ' + export certs=/tmp/certs + mkdir $$certs + cd $$certs + + echo "Generating CA" + cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + + echo "Generating servers certificates" + for i in wazuh.indexer wazuh.dashboard wazuh.manager; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Generating clients certificates" + for i in admin filebeat; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=client - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Setting up permissions" + + rm /certs/wi/* /certs/wd/* /certs/wm/* + + mv $$certs/wazuh.indexer* /certs/wi + mv $$certs/admin* /certs/wi + mv /certs/wi/admin.key /certs/wi/admin-key.pem + cp $$certs/*ca* /certs/wi + + mv $$certs/wazuh.dashboard* /certs/wd + cp $$certs/*ca* /certs/wd + + mv $$certs/*.* /certs/wm + + chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* + chown -R 1000:1000 /certs/* + ls -alR /certs/ + + sleep 30 + ' + healthcheck: + test: ['CMD-SHELL', '[ -r /certs/wm/wazuh.manager.pem ]'] + interval: 2s + timeout: 5s + retries: 10 + + filebeat: + depends_on: + wazuh.indexer: + condition: service_healthy + image: elastic/filebeat:7.10.2 + hostname: filebeat + user: '0:0' + networks: + - wzd-pre + - mon + # <<: *logging + entrypoint: + - '/bin/bash' + command: > + -c ' + mkdir -p /etc/filebeat + echo admin | filebeat keystore add username --stdin --force + echo SecretPassword| filebeat keystore add password --stdin --force + curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + # copy filebeat to preserve correct permissions without + # affecting host filesystem + cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml + chown root.root /usr/share/filebeat/filebeat.yml + chmod go-w /usr/share/filebeat/filebeat.yml + filebeat setup -e + filebeat + ' + volumes: + - wm_certs:/etc/ssl/wazuh + - ./config/filebeat/filebeat.yml:/tmp/filebeat.yml + + wazuh.indexer: + depends_on: + generator: + condition: service_healthy + image: wazuh/wazuh-indexer:${WAZUH_STACK} + hostname: wazuh.indexer + networks: + - wzd-pre + - mon + # <<: *logging + environment: + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' + - 'OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config' + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - wazuh-indexer-data:/var/lib/wazuh-indexer + - wi_certs:/usr/share/wazuh-indexer/certs/ + - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml + - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml + - ./config/wazuh_indexer/config.yml:/usr/share/wazuh-indexer/opensearch-security/config.yml + - ./config/wazuh_indexer/roles.yml:/usr/share/wazuh-indexer/opensearch-security/roles.yml + - ./config/wazuh_indexer/roles_mapping.yml:/usr/share/wazuh-indexer/opensearch-security/roles_mapping.yml + healthcheck: + test: + [ + 'CMD-SHELL', + '/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security', + ] + interval: 10s + timeout: 10s + retries: 120 + + wazuh.dashboard: + image: wazuh/wazuh-dashboard:${WAZUH_STACK} + hostname: wazuh.dashboard + depends_on: + wazuh.indexer: + condition: service_healthy + networks: + - wzd-pre + - mon + # <<: *logging + ports: + - ${KIBANA_PORT}:5601 + environment: + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=SecretPassword + - WAZUH_API_URL=http://imposter:8080 + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - wd_certs:/usr/share/wazuh-dashboard/certs + - ./config/wazuh_dashboard/wazuh_dashboards.yml:/usr/share/wazuh-dashboard/config/wazuh_dashboards.yml + - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml + +networks: + networks: + wzd-pre: + name: wzd-pre-${WAZUH_STACK} + driver: bridge + mon: + external: true + +volumes: + wazuh-indexer-data: + wi_certs: + wd_certs: + wm_certs: diff --git a/docker/wazuh-4.7/rel.sh b/docker/wazuh-4.7/rel.sh new file mode 100755 index 0000000000..0e639bdd46 --- /dev/null +++ b/docker/wazuh-4.7/rel.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +versions=( + "4.7.0" + "4.7.1" + "4.7.2" +) + +usage() { + echo + echo "$0 version action [saml]" + echo + echo "where version is one of ${versions[*]}" + echo "action is one of up | down | stop" + echo "saml to deploy a saml enabled environment" + exit -1 +} + +if [ $# -lt 2 ]; then + echo "Incorrect number of arguments " $# + usage +fi + +if [[ ! " ${versions[*]} " =~ " ${1} " ]]; then + echo "Version ${1} not found in ${versions[*]}" + exit -1 +fi + +export WAZUH_STACK=${1} +export KIBANA_PORT=5601 +export KIBANA_PASSWORD=${PASSWORD:-SecretPassword} +export COMPOSE_PROJECT_NAME=wz-rel-${WAZUH_STACK//./} + +profile="standard" +export WAZUH_DASHBOARD_CONF=./config/wazuh_dashboard/wazuh_dashboard.yml +export SEC_CONFIG_FILE=./config/wazuh_indexer/config.yml + +if [[ "$3" =~ "saml" ]]; then + profile="saml" + export WAZUH_DASHBOARD_CONF=./config/wazuh_dashboard/wazuh_dashboard_saml.yml + export SEC_CONFIG_FILE=./config/wazuh_indexer/config-saml.yml +fi + +case "$2" in +up) + docker compose --profile $profile -f rel.yml -p "${COMPOSE_PROJECT_NAME}" up -Vd + echo + echo "1. (Optional) Enroll an agent (Ubuntu 20.04):" + echo "docker run --name ${COMPOSE_PROJECT_NAME}-agent --network ${COMPOSE_PROJECT_NAME} --label com.docker.compose.project=${COMPOSE_PROJECT_NAME} -d ubuntu:20.04 bash -c '" + echo " apt update -y" + echo " apt install -y curl lsb-release" + echo " curl -so \wazuh-agent-${WAZUH_STACK}.deb \\" + echo " https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_${WAZUH_STACK}-1_amd64.deb \\" + echo " && WAZUH_MANAGER='wazuh.manager' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-${WAZUH_STACK}.deb" + echo + echo " /etc/init.d/wazuh-agent start" + echo " tail -f /var/ossec/logs/ossec.log" + echo "'" + echo + ;; +down) + docker compose --profile $profile -f rel.yml -p "${COMPOSE_PROJECT_NAME}" down -v --remove-orphans + ;; +stop) + docker compose --profile $profile -f rel.yml -p "${COMPOSE_PROJECT_NAME}" stop + ;; +*) + echo "Action must be either up or down" + usage + ;; +esac diff --git a/docker/wazuh-4.7/rel.yml b/docker/wazuh-4.7/rel.yml new file mode 100755 index 0000000000..fd5b1a3a08 --- /dev/null +++ b/docker/wazuh-4.7/rel.yml @@ -0,0 +1,325 @@ +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) +version: '3.9' + +# x-logging: &logging +# logging: +# driver: loki +# options: +# loki-url: 'http://host.docker.internal:3100/loki/api/v1/push' + +services: + generator: + image: cfssl/cfssl + profiles: + - 'saml' + - 'standard' + # <<: *logging + volumes: + - wi_certs:/certs/wi + - wd_certs:/certs/wd + - wm_certs:/certs/wm + - idp_certs:/certs/idp + - ./config/certs:/conf + # Included to avoid docker from creating duplicated networks + networks: + - wz-rel + entrypoint: /bin/bash + command: > + -c ' + export certs=/tmp/certs + mkdir $$certs + cd $$certs + + echo "Generating CA" + cfssl gencert -initca /conf/ca.json | cfssljson -bare ca + + echo "Generating servers certificates" + for i in wazuh.indexer wazuh.dashboard wazuh.manager; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Generating clients certificates" + for i in admin saml filebeat; do + echo "Generating cert for $$i" + cat /conf/host.json | \ + sed "s/HOST/$$i/g" | \ + cfssl gencert \ + -ca $$certs/ca.pem \ + -ca-key $$certs/ca-key.pem \ + -config /conf/cfssl.json \ + -profile=client - | \ + cfssljson -bare $$i + openssl pkcs8 -topk8 -inform pem -in $$i-key.pem -outform pem -nocrypt -out $$i.key + done + + echo "Setting up permissions" + + rm /certs/wi/* /certs/wd/* /certs/wm/* + + mv $$certs/wazuh.indexer* /certs/wi + mv $$certs/admin* /certs/wi + mv /certs/wi/admin.key /certs/wi/admin-key.pem + cp $$certs/*ca* /certs/wi + + mv $$certs/saml* /certs/idp + mv /certs/idp/saml.key /certs/idp/saml-key.pem + cp $$certs/*ca* /certs/idp + + mv $$certs/wazuh.dashboard* /certs/wd + cp $$certs/*ca* /certs/wd + + mv $$certs/*.* /certs/wm + + chmod 640 /certs/wi/* /certs/wd/* /certs/wm/* + chown -R 1000:1000 /certs/* + ls -alR /certs/ + + sleep 300 + ' + healthcheck: + test: ['CMD-SHELL', '[ -r /certs/wm/wazuh.manager.pem ]'] + interval: 2s + timeout: 5s + retries: 10 + + idpsec: + image: quay.io/keycloak/keycloak:19.0.1 + depends_on: + generator: + condition: service_healthy + profiles: + - 'saml' + volumes: + - wi_certs:/certs/wi + - wd_certs:/certs/wd + - wm_certs:/certs/wm + - idp_certs:/certs/idp + networks: + - wz-rel + - mon + entrypoint: /bin/bash + command: > + -c ' + # trust store + for i in /certs/idp/ca.pem /certs/wd/wazuh.dashboard.pem /certs/wi/wazuh.indexer.pem + do + keytool -import -alias $$(basename $$i .pem) -file $$i -keystore /certs/idp/truststore.jks -storepass SecretPassword -trustcacerts -noprompt + done + sleep 300 + ' + healthcheck: + test: ['CMD-SHELL', '[ -r /certs/idp/truststore.jks ]'] + interval: 2s + timeout: 5s + retries: 10 + + wazuh.manager: + depends_on: + generator: + condition: service_healthy + image: wazuh/wazuh-manager:${WAZUH_STACK} + profiles: + - 'saml' + - 'standard' + hostname: wazuh.manager + networks: + - wz-rel + - mon + # <<: *logging + environment: + - INDEXER_URL=https://wazuh.indexer:9200 + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=SecretPassword + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/wazuh/ca.pem + - SSL_CERTIFICATE=/etc/ssl/wazuh/filebeat.pem + - SSL_KEY=/etc/ssl/wazuh/filebeat.key + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - wazuh_api_configuration:/var/ossec/api/configuration + - wazuh_etc:/var/ossec/etc + - wazuh_logs:/var/ossec/logs + - wazuh_queue:/var/ossec/queue + - wazuh_var_multigroups:/var/ossec/var/multigroups + - wazuh_integrations:/var/ossec/integrations + - wazuh_active_response:/var/ossec/active-response/bin + - wazuh_agentless:/var/ossec/agentless + - wazuh_wodles:/var/ossec/wodles + - filebeat_etc:/etc/filebeat + - filebeat_var:/var/lib/filebeat + - wm_certs:/etc/ssl/wazuh + - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf + + wazuh.indexer: + depends_on: + generator: + condition: service_healthy + idpsetup: + condition: service_completed_successfully + required: false + image: wazuh/wazuh-indexer:${WAZUH_STACK} + profiles: + - 'saml' + - 'standard' + hostname: wazuh.indexer + networks: + - wz-rel + - mon + # <<: *logging + environment: + - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' + - 'OPENSEARCH_PATH_CONF=/usr/share/wazuh-indexer/config' + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - wazuh-indexer-data:/var/lib/wazuh-indexer + - wi_certs:/usr/share/wazuh-indexer/certs/ + - idp_certs:/usr/share/wazuh-indexer/idp/ + - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml + - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml + - ${SEC_CONFIG_FILE}:/usr/share/wazuh-indexer/opensearch-security/config.yml + - ./config/wazuh_indexer/roles.yml:/usr/share/wazuh-indexer/opensearch-security/roles.yml + - ./config/wazuh_indexer/roles_mapping.yml:/usr/share/wazuh-indexer/opensearch-security/roles_mapping.yml + healthcheck: + test: + [ + 'CMD-SHELL', + '/usr/share/wazuh-indexer/bin/opensearch-plugin list | grep -q security', + ] + interval: 10s + timeout: 10s + retries: 120 + + wazuh.dashboard: + image: wazuh/wazuh-dashboard:${WAZUH_STACK} + profiles: + - 'saml' + - 'standard' + hostname: wazuh.dashboard + depends_on: + wazuh.indexer: + condition: service_healthy + networks: + - wz-rel + - mon + # <<: *logging + ports: + - ${KIBANA_PORT}:5601 + environment: + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=SecretPassword + - WAZUH_API_URL=https://wazuh.manager + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - wd_certs:/usr/share/wazuh-dashboard/certs + - ${WAZUH_DASHBOARD_CONF}:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml + - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml + + exporter: + image: quay.io/prometheuscommunity/elasticsearch-exporter:latest + profiles: + - 'saml' + - 'standard' + # <<: *logging + hostname: 'exporter' + networks: + - wz-rel + - mon + command: + - '--es.uri=https://admin:${KIBANA_PASSWORD}@wazuh-indexer:9200' + - '--es.ssl-skip-verify' + - '--es.all' + + idp: + image: quay.io/keycloak/keycloak:19.0.1 + depends_on: + idpsec: + condition: service_healthy + profiles: + - 'saml' + hostname: idp + # <<: *logging + networks: + - wz-rel + - mon + ports: + - '8080:8080' + environment: + - KEYCLOAK_ADMIN=admin + - KEYCLOAK_ADMIN_PASSWORD=admin + - KC_SPI_TRUSTSTORE_FILE_PASSWORD=SecretPassword + - KC_SPI_TRUSTSTORE_FILE_FILE=/certs/truststore.jks + volumes: + - keycloak-data:/var/lib/keycloak/data + - idp_certs:/certs + command: start-dev + healthcheck: + test: curl -f http://idp:8080/realms/master || exit 1 + interval: 10s + timeout: 5s + retries: 6 + + idpsetup: + image: badouralix/curl-jq + depends_on: + idp: + condition: service_healthy + profiles: + - 'saml' + hostname: idpsetup + # <<: *logging + networks: + - wz-rel + - mon + volumes: + - wi_certs:/certs/wi + - ./enable_saml.sh:/enable_saml.sh + entrypoint: /bin/sh + command: > + -c ' + apk add bash + bash /enable_saml.sh + exit 0 + ' + +networks: + wz-rel: + name: ${COMPOSE_PROJECT_NAME} + driver: bridge + mon: + external: true + +volumes: + wi_certs: + wd_certs: + wm_certs: + idp_certs: + wazuh_api_configuration: + wazuh_etc: + wazuh_logs: + wazuh_queue: + wazuh_var_multigroups: + wazuh_integrations: + wazuh_active_response: + wazuh_agentless: + wazuh_wodles: + filebeat_etc: + filebeat_var: + wazuh-indexer-data: + keycloak-data: diff --git a/docker/wazuh-4.x-es/pre.yml b/docker/wazuh-4.x-es/pre.yml index fa1202432c..60d31a1df3 100755 --- a/docker/wazuh-4.x-es/pre.yml +++ b/docker/wazuh-4.x-es/pre.yml @@ -1,16 +1,16 @@ -version: "2.2" +version: '2.2' x-logging: &logging logging: driver: loki options: - loki-url: "http://host.docker.internal:3100/loki/api/v1/push" + loki-url: 'http://host.docker.internal:3100/loki/api/v1/push' services: exporter: image: quay.io/prometheuscommunity/elasticsearch-exporter:latest <<: *logging - hostname: "exporter-kbn-${ES_VERSION}" + hostname: 'exporter-kbn-${ES_VERSION}' networks: - es-pre - mon @@ -21,7 +21,7 @@ services: imposter: image: outofcoffee/imposter - hostname: "imposter-kbn-${ES_VERSION}" + hostname: 'imposter-kbn-${ES_VERSION}' networks: - es-pre - mon @@ -38,7 +38,7 @@ services: condition: service_healthy image: elastic/filebeat:7.10.2 hostname: filebeat - user: "0:0" + user: '0:0' networks: - es-pre <<: *logging @@ -51,7 +51,7 @@ services: echo admin | filebeat keystore add username --stdin --force echo ${ELASTIC_PASSWORD}| filebeat keystore add password --stdin --force curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json - curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.3.tar.gz | tar -xvz -C /usr/share/filebeat/module + curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module # copy filebeat to preserve correct permissions without # affecting host filesystem cp /tmp/filebeat.yml /usr/share/filebeat/filebeat.yml @@ -72,7 +72,7 @@ services: - certs:/usr/share/elasticsearch/config/certs - ./config/wazuh_indexer_ssl_certs/:/tmp/certs - ./config/setup_permissions.sh:/tmp/setup_permissions.sh - user: "0" + user: '0' command: > bash -c ' if [ x${ELASTIC_PASSWORD} == x ]; then @@ -134,7 +134,7 @@ services: echo "All done!"; ' healthcheck: - test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] + test: ['CMD-SHELL', '[ -f config/certs/es01/es01.crt ]'] interval: 1s timeout: 5s retries: 120 @@ -152,7 +152,7 @@ services: - certs:/usr/share/elasticsearch/config/certs - esdata01:/usr/share/elasticsearch/data environment: - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - 'ES_JAVA_OPTS=-Xms512m -Xmx512m' - node.name=es01 - cluster.name=${CLUSTER_NAME} # - cluster.initial_master_nodes=es01,es02,es03 @@ -180,7 +180,7 @@ services: healthcheck: test: [ - "CMD-SHELL", + 'CMD-SHELL', "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", ] interval: 10s @@ -303,7 +303,7 @@ services: healthcheck: test: [ - "CMD-SHELL", + 'CMD-SHELL', "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", ] interval: 10s @@ -312,7 +312,7 @@ services: networks: es-pre: - name: "es-pre-${ES_VERSION}" + name: 'es-pre-${ES_VERSION}' driver: bridge mon: external: true diff --git a/plugins/main/public/components/agents/syscollector/__snapshots__/inventory.test.tsx.snap b/plugins/main/public/components/agents/syscollector/__snapshots__/inventory.test.tsx.snap index 227faac4a4..4bc0cdcaf0 100644 --- a/plugins/main/public/components/agents/syscollector/__snapshots__/inventory.test.tsx.snap +++ b/plugins/main/public/components/agents/syscollector/__snapshots__/inventory.test.tsx.snap @@ -67,7 +67,7 @@ exports[`Inventory component A Apple agent should be well rendered. 1`] = `
+
+
+ Host name: + +
+
+
+
+ Board serial: + +
+
@@ -2091,7 +2115,7 @@ exports[`Inventory component A Linux agent should be well rendered. 1`] = `
+
+
+ Host name: + +
+
+
+
+ Board serial: + +
+
@@ -4189,7 +4237,7 @@ exports[`Inventory component A Windows agent should be well rendered. 1`] = `
+
+
+ Host name: + +
+
+
+
+ Board serial: + +
+
diff --git a/plugins/main/public/components/agents/syscollector/components/syscollector-metrics.tsx b/plugins/main/public/components/agents/syscollector/components/syscollector-metrics.tsx index 449f823dbc..bdd08b5322 100644 --- a/plugins/main/public/components/agents/syscollector/components/syscollector-metrics.tsx +++ b/plugins/main/public/components/agents/syscollector/components/syscollector-metrics.tsx @@ -93,7 +93,7 @@ export function InventoryMetrics({ agent }) { )} - + CPU:{' '} {syscollector.isLoading ? ( @@ -105,6 +105,30 @@ export function InventoryMetrics({ agent }) { )} + + + Host name:{' '} + {syscollector.isLoading ? ( + + ) : syscollector.data.os.hostname ? ( + {syscollector.data.os.hostname} + ) : ( + - + )} + + + + + Board serial:{' '} + {syscollector.isLoading ? ( + + ) : syscollector.data.hardware.board_serial ? ( + {syscollector.data.hardware.board_serial} + ) : ( + - + )} + + Last scan:{' '} diff --git a/plugins/main/public/components/security/policies/create-policy.tsx b/plugins/main/public/components/security/policies/create-policy.tsx index 2bf87b539c..58fc60a897 100644 --- a/plugins/main/public/components/security/policies/create-policy.tsx +++ b/plugins/main/public/components/security/policies/create-policy.tsx @@ -110,23 +110,25 @@ export const CreatePolicyFlyout = ({ closeFlyout }) => { const actionsData = actionsRequest?.data?.data || {}; setAvailableActions(actionsData); - const actions = Object.keys(actionsData).map((x, idx) => { - return { - id: idx, - value: x, - inputDisplay: x, - dropdownDisplay: ( - <> - {x} - -

- {actionsData[x].description} -

-
- - ), - }; - }); + const actions = Object.keys(actionsData) + .map((x, idx) => { + return { + id: idx, + value: x, + inputDisplay: x, + dropdownDisplay: ( + <> + {x} + +

+ {actionsData[x].description} +

+
+ + ), + }; + }) + .sort((a, b) => a.value.localeCompare(b.value)); setActions(actions); } @@ -137,23 +139,25 @@ export const CreatePolicyFlyout = ({ closeFlyout }) => { allResources = allResources.concat(res); }); const allResourcesSet = new Set(allResources); - const resources = Array.from(allResourcesSet).map((x, idx) => { - return { - id: idx, - value: x, - inputDisplay: x, - dropdownDisplay: ( - <> - {x} - -

- {availableResources[x].description} -

-
- - ), - }; - }); + const resources = Array.from(allResourcesSet) + .map((x, idx) => { + return { + id: idx, + value: x, + inputDisplay: x, + dropdownDisplay: ( + <> + {x} + +

+ {availableResources[x].description} +

+
+ + ), + }; + }) + .sort((a, b) => a.value.localeCompare(b.value)); setResources(resources); }; diff --git a/plugins/main/public/components/security/policies/edit-policy.tsx b/plugins/main/public/components/security/policies/edit-policy.tsx index b2935bb611..17485f96d3 100644 --- a/plugins/main/public/components/security/policies/edit-policy.tsx +++ b/plugins/main/public/components/security/policies/edit-policy.tsx @@ -112,23 +112,25 @@ export const EditPolicyFlyout = ({ policy, closeFlyout }) => { const actionsData = actionsRequest?.data?.data || {}; setAvailableActions(actionsData); - const actions = Object.keys(actionsData).map((x, idx) => { - return { - id: idx, - value: x, - inputDisplay: x, - dropdownDisplay: ( - <> - {x} - -

- {actionsData[x].description} -

-
- - ), - }; - }); + const actions = Object.keys(actionsData) + .map((x, idx) => { + return { + id: idx, + value: x, + inputDisplay: x, + dropdownDisplay: ( + <> + {x} + +

+ {actionsData[x].description} +

+
+ + ), + }; + }) + .sort((a, b) => a.value.localeCompare(b.value)); setActions(actions); } @@ -139,23 +141,25 @@ export const EditPolicyFlyout = ({ policy, closeFlyout }) => { allResources = allResources.concat(res); }); const allResourcesSet = new Set(allResources); - const resources = Array.from(allResourcesSet).map((x, idx) => { - return { - id: idx, - value: x, - inputDisplay: x, - dropdownDisplay: ( - <> - {x} - -

- {(availableResources[x] || {}).description} -

-
- - ), - }; - }); + const resources = Array.from(allResourcesSet) + .map((x, idx) => { + return { + id: idx, + value: x, + inputDisplay: x, + dropdownDisplay: ( + <> + {x} + +

+ {(availableResources[x] || {}).description} +

+
+ + ), + }; + }) + .sort((a, b) => a.value.localeCompare(b.value)); setResources(resources); }; diff --git a/plugins/main/public/components/security/policies/policies-table.tsx b/plugins/main/public/components/security/policies/policies-table.tsx index 866d0a34d0..4e2d9b376d 100644 --- a/plugins/main/public/components/security/policies/policies-table.tsx +++ b/plugins/main/public/components/security/policies/policies-table.tsx @@ -87,7 +87,7 @@ export const PoliciesTable = ({ name: 'Actions', sortable: true, render: actions => { - return (actions || []).join(', '); + return (actions || []).sort((a, b) => a.localeCompare(b)).join(', '); }, truncateText: true, }, diff --git a/plugins/main/public/controllers/agent/components/agents-preview.js b/plugins/main/public/controllers/agent/components/agents-preview.js index bb02a41ce3..06494f4929 100644 --- a/plugins/main/public/controllers/agent/components/agents-preview.js +++ b/plugins/main/public/controllers/agent/components/agents-preview.js @@ -23,6 +23,7 @@ import { EuiToolTip, EuiCard, EuiLink, + EuiProgress, } from '@elastic/eui'; import { AgentsTable } from './agents-table'; import { WzRequest } from '../../../react-services/wz-request'; @@ -53,6 +54,7 @@ import { agentStatusColorByAgentStatus, agentStatusLabelByAgentStatus, } from '../../../../common/services/wz_agent_status'; +import { AppNavigate } from '../../../react-services/app-navigate.js'; import { endpointSumary } from '../../../utils/applications'; export const AgentsPreview = compose( @@ -220,6 +222,19 @@ export const AgentsPreview = compose( render() { const evolutionIsReady = this.props.resultState !== 'loading'; + //This condition is because the angular template and the controller have a small delay to show the register agent component when there are no agents + //This condition must be removed when the controller is removed + if ( + !this.state.agentStatusSummary.total || + this.state.agentStatusSummary.total === '-' + ) { + return ( +
+ +
+ ); + } + return ( @@ -306,10 +321,13 @@ export const AgentsPreview = compose( content='View agent details' > - this.showAgent( - this.state.lastRegisteredAgent, - ) + onClick={ev => { + ev.stopPropagation(); + AppNavigate.navigateToModule(ev, 'agents', { + tab: 'welcome', + agent: this.state.lastRegisteredAgent?.id, + }); + } } > {this.state.lastRegisteredAgent?.name || '-'} @@ -336,8 +354,13 @@ export const AgentsPreview = compose( content='View agent details' > - this.showAgent(this.state.agentMostActive) + onClick={ev => { + ev.stopPropagation(); + AppNavigate.navigateToModule(ev, 'agents', { + tab: 'welcome', + agent: this.state.agentMostActive?.id, + }); + } } > {this.state.agentMostActive?.name || '-'} diff --git a/plugins/main/public/controllers/agent/components/agents-preview.scss b/plugins/main/public/controllers/agent/components/agents-preview.scss index 04f94f4f6f..e420ca4e33 100644 --- a/plugins/main/public/controllers/agent/components/agents-preview.scss +++ b/plugins/main/public/controllers/agent/components/agents-preview.scss @@ -57,7 +57,7 @@ position: absolute; top: 0; width: 100%; - height: 90%; + height: 100%; display: flex; flex-direction: column; justify-content: center; diff --git a/plugins/main/public/controllers/register-agent/components/command-output/command-output.tsx b/plugins/main/public/controllers/register-agent/components/command-output/command-output.tsx index 31064c60fe..1a8f604ccf 100644 --- a/plugins/main/public/controllers/register-agent/components/command-output/command-output.tsx +++ b/plugins/main/public/controllers/register-agent/components/command-output/command-output.tsx @@ -55,7 +55,6 @@ export default function CommandOutput(props: ICommandSectionProps) { const onChangeShowPassword = (event: EuiSwitchEvent) => { setShowPassword(event.target.checked); }; - return ( @@ -64,6 +63,7 @@ export default function CommandOutput(props: ICommandSectionProps) { diff --git a/plugins/main/public/controllers/register-agent/components/command-output/os-warning.tsx b/plugins/main/public/controllers/register-agent/components/command-output/os-warning.tsx new file mode 100644 index 0000000000..e9e17e0e65 --- /dev/null +++ b/plugins/main/public/controllers/register-agent/components/command-output/os-warning.tsx @@ -0,0 +1,69 @@ +import React from 'react'; +import { EuiCallOut } from '@elastic/eui'; +import { tOperatingSystem } from '../../core/config/os-commands-definitions'; + +interface OsWarningProps { + os?: tOperatingSystem['name']; +} + +export default function OsCommandWarning(props: OsWarningProps) { + const osSelector = { + WINDOWS: ( + +
    +
  • + + You will need administrator privileges to perform this + installation. + +
  • +
  • + PowerShell 3.0 or greater is required. +
  • +
+

+ Keep in mind you need to run this command in a Windows PowerShell + terminal. +

+
+ ), + LINUX: ( + +
    +
  • + + You will need administrator privileges to perform this + installation. + +
  • +
  • + Shell Bash is required. +
  • +
+

+ Keep in mind you need to run this command in a Shell Bash terminal. +

+
+ ), + macOS: ( + +
    +
  • + + You will need administrator privileges to perform this + installation. + +
  • +
  • + Shell Bash is required. +
  • +
+

+ Keep in mind you need to run this command in a Shell Bash terminal. +

+
+ ), + }; + + return osSelector[props?.os] || null; +} diff --git a/plugins/main/public/controllers/register-agent/components/group-input/group-input.tsx b/plugins/main/public/controllers/register-agent/components/group-input/group-input.tsx index e12c301850..afeab1b86e 100644 --- a/plugins/main/public/controllers/register-agent/components/group-input/group-input.tsx +++ b/plugins/main/public/controllers/register-agent/components/group-input/group-input.tsx @@ -45,7 +45,7 @@ const GroupInput = ({ value, options, onChange }) => { >

- Select one or more existing groups + Select one or more existing groups:

diff --git a/plugins/main/public/controllers/register-agent/components/optionals-inputs/optionals-inputs.tsx b/plugins/main/public/controllers/register-agent/components/optionals-inputs/optionals-inputs.tsx index 317e3b6c41..8a0364ed9c 100644 --- a/plugins/main/public/controllers/register-agent/components/optionals-inputs/optionals-inputs.tsx +++ b/plugins/main/public/controllers/register-agent/components/optionals-inputs/optionals-inputs.tsx @@ -27,7 +27,7 @@ const OptionalsInputs = (props: OptionalsInputsProps) => { const agentNameDocLink = webDocumentationLink( 'user-manual/reference/ossec-conf/client.html#enrollment-agent-name', PLUGIN_VERSION_SHORT, - ) + ); const popoverAgentName = ( Learn about{' '} @@ -64,7 +64,7 @@ const OptionalsInputs = (props: OptionalsInputsProps) => { gutterSize='s' > -

Assign an agent name

+

Assign an agent name:

{ /> {warningForAgentName}
} + title={ + + {warningForAgentName} + + + } iconType='iInCircle' className='warningForAgentName' /> diff --git a/plugins/main/public/controllers/register-agent/containers/register-agent/register-agent.tsx b/plugins/main/public/controllers/register-agent/containers/register-agent/register-agent.tsx index 8ae23213cd..7d110bfa2d 100644 --- a/plugins/main/public/controllers/register-agent/containers/register-agent/register-agent.tsx +++ b/plugins/main/public/controllers/register-agent/containers/register-agent/register-agent.tsx @@ -11,15 +11,17 @@ import { EuiProgress, EuiButton, } from '@elastic/eui'; -import { WzRequest } from '../../../../react-services/wz-request'; + import { UI_LOGGER_LEVELS } from '../../../../../common/constants'; import { UI_ERROR_SEVERITIES } from '../../../../react-services/error-orchestrator/types'; import { ErrorHandler } from '../../../../react-services/error-management'; -import { getMasterRemoteConfiguration } from '../../../agent/components/register-agent-service'; import './register-agent.scss'; import { Steps } from '../steps/steps'; import { InputForm } from '../../../../components/common/form'; -import { getGroups } from '../../services/register-agent-services'; +import { + getGroups, + getMasterConfiguration, +} from '../../services/register-agent-services'; import { useForm } from '../../../../components/common/form/hooks'; import { FormConfiguration } from '../../../../components/common/form/types'; import { useSelector } from 'react-redux'; @@ -93,39 +95,26 @@ export const RegisterAgent = withReduxProvider( const form = useForm(initialFields); - const getRemoteConfig = async () => { - const remoteConfig = await getMasterRemoteConfiguration(); - if (remoteConfig) { - setHaveUdpProtocol(remoteConfig.isUdp); - } - }; - - const getAuthInfo = async () => { - try { - const result = await WzRequest.apiReq( - 'GET', - '/agents/000/config/auth/auth', - {}, - ); - return (result.data || {}).data || {}; - } catch (error) { - ErrorHandler.handleError(error); + const getMasterConfig = async () => { + const masterConfig = await getMasterConfiguration(); + if (masterConfig?.remote) { + setHaveUdpProtocol(masterConfig.remote.isUdp); } + return masterConfig; }; useEffect(() => { const fetchData = async () => { try { const wazuhVersion = await getWazuhVersion(); - await getRemoteConfig(); - const authInfo = await getAuthInfo(); + const { auth: authConfig } = await getMasterConfig(); // get wazuh password configuration let wazuhPassword = ''; - const needsPassword = (authInfo.auth || {}).use_password === 'yes'; + const needsPassword = authConfig?.auth?.use_password === 'yes'; if (needsPassword) { wazuhPassword = - configuration['enrollment.password'] || - authInfo['authd.pass'] || + configuration?.['enrollment.password'] || + authConfig?.['authd.pass'] || ''; } const groups = await getGroups(); diff --git a/plugins/main/public/controllers/register-agent/containers/steps/steps.scss b/plugins/main/public/controllers/register-agent/containers/steps/steps.scss index 17bdbef44c..5ea8024f31 100644 --- a/plugins/main/public/controllers/register-agent/containers/steps/steps.scss +++ b/plugins/main/public/controllers/register-agent/containers/steps/steps.scss @@ -32,10 +32,6 @@ margin-top: 10px; } - .euiToolTipAnchor { - margin-left: 7px; - } - .subtitleAgentName { flex-direction: 'row'; font-style: 'normal'; diff --git a/plugins/main/public/controllers/register-agent/containers/steps/steps.tsx b/plugins/main/public/controllers/register-agent/containers/steps/steps.tsx index 2c0dec80e2..6bfc6ff282 100644 --- a/plugins/main/public/controllers/register-agent/containers/steps/steps.tsx +++ b/plugins/main/public/controllers/register-agent/containers/steps/steps.tsx @@ -33,6 +33,7 @@ import { tFormStepsLabel, } from '../../services/register-agent-steps-status-services'; import { webDocumentationLink } from '../../../../../common/services/web_documentation'; +import OsCommandWarning from '../../components/command-output/os-warning'; interface IStepsProps { needsPassword: boolean; @@ -141,14 +142,14 @@ export const Steps = ({ status: getOSSelectorStepStatus(form.fields), }, { - title: 'Server address', + title: 'Server address:', children: , status: getServerAddressStepStatus(form.fields), }, ...(needsPassword && !wazuhPassword ? [ { - title: 'Wazuh password', + title: 'Wazuh password:', children: ( , status: getOptionalParameterStepStatus( form.fields, @@ -184,8 +185,7 @@ export const Steps = ({ ), }, { - title: - 'Run the following commands to download and install the Wazuh agent:', + title: 'Run the following commands to download and install the agent:', children: ( <> {missingStepsName?.length ? ( @@ -208,20 +208,25 @@ export const Steps = ({ /> ) : null} {!missingStepsName?.length && !invalidFieldsName?.length ? ( - setInstallCommandWasCopied(true)} - password={registerAgentFormValues.optionalParams.wazuhPassword} - /> + <> + setInstallCommandWasCopied(true)} + password={registerAgentFormValues.optionalParams.wazuhPassword} + /> + + ) : null} ), status: installCommandStepStatus, }, { - title: 'Start the Wazuh agent:', + title: 'Start the agent:', children: ( <> {missingStepsName?.length ? ( diff --git a/plugins/main/public/controllers/register-agent/services/register-agent-services.tsx b/plugins/main/public/controllers/register-agent/services/register-agent-services.tsx index 8200224bb2..82377255e8 100644 --- a/plugins/main/public/controllers/register-agent/services/register-agent-services.tsx +++ b/plugins/main/public/controllers/register-agent/services/register-agent-services.tsx @@ -42,7 +42,10 @@ export const clusterStatusResponse = async (): Promise => { /** * Get the remote configuration from api */ -async function getRemoteConfiguration(nodeName: string): Promise { +async function getRemoteConfiguration( + nodeName: string, + clusterStatus: boolean, +): Promise { let config: RemoteConfig = { name: nodeName, isUdp: false, @@ -50,7 +53,6 @@ async function getRemoteConfiguration(nodeName: string): Promise { }; try { - const clusterStatus = await clusterStatusResponse(); let result; if (clusterStatus) { result = await WzRequest.apiReq( @@ -92,6 +94,19 @@ async function getRemoteConfiguration(nodeName: string): Promise { return config; } } +/** + * Get the manager/cluster auth configuration from Wazuh API + * @param node + * @returns + */ +async function getAuthConfiguration(node: string, clusterStatus: boolean) { + const authConfigUrl = clusterStatus + ? `/cluster/${node}/configuration/auth/auth` + : '/manager/configuration/auth/auth'; + const result = await WzRequest.apiReq('GET', authConfigUrl, {}); + const auth = result?.data?.data?.affected_items?.[0]; + return auth; +} /** * Get the remote protocol available from list of protocols @@ -118,7 +133,11 @@ async function getConnectionConfig( const nodeIp = nodeSelected?.value; if (!defaultServerAddress) { if (nodeSelected.nodetype !== 'custom') { - const remoteConfig = await getRemoteConfiguration(nodeName); + const clusterStatus = await clusterStatusResponse(); + const remoteConfig = await getRemoteConfiguration( + nodeName, + clusterStatus, + ); return { serverAddress: nodeIp, udpProtocol: remoteConfig.isUdp, @@ -213,13 +232,22 @@ export const getMasterNode = (nodeIps: any[]): any[] => { }; /** - * Get the remote configuration from manager + * Get the remote and the auth configuration from manager * This function get the config from manager mode or cluster mode */ -export const getMasterRemoteConfiguration = async () => { +export const getMasterConfiguration = async () => { const nodes = await fetchClusterNodesOptions(); const masterNode = getMasterNode(nodes); - return await getRemoteConfiguration(masterNode[0].label); + const clusterStatus = await clusterStatusResponse(); + const remote = await getRemoteConfiguration( + masterNode[0].label, + clusterStatus, + ); + const auth = await getAuthConfiguration(masterNode[0].label, clusterStatus); + return { + remote, + auth, + }; }; export { getConnectionConfig, getRemoteConfiguration }; @@ -260,16 +288,18 @@ export interface IParseRegisterFormValues { export const parseRegisterAgentFormValues = ( formValues: { name: keyof UseFormReturn['fields']; value: any }[], OSOptionsDefined: RegisterAgentData[], - initialValues?: IParseRegisterFormValues + initialValues?: IParseRegisterFormValues, ) => { // return the values form the formFields and the value property - const parsedForm = initialValues || { - operatingSystem: { - architecture: '', - name: '', - }, - optionalParams: {}, - } as IParseRegisterFormValues; + const parsedForm = + initialValues || + ({ + operatingSystem: { + architecture: '', + name: '', + }, + optionalParams: {}, + } as IParseRegisterFormValues); formValues.forEach(field => { if (field.name === 'operatingSystemSelection') { // search the architecture defined in architecture array and get the os name defined in title array in the same index @@ -284,7 +314,9 @@ export const parseRegisterAgentFormValues = ( } } else { if (field.name === 'agentGroups') { - parsedForm.optionalParams[field.name as any] = field.value.map(item => item.id) + parsedForm.optionalParams[field.name as any] = field.value.map( + item => item.id, + ); } else { parsedForm.optionalParams[field.name as any] = field.value; } @@ -292,4 +324,4 @@ export const parseRegisterAgentFormValues = ( }); return parsedForm; -}; \ No newline at end of file +}; diff --git a/plugins/main/public/controllers/register-agent/utils/register-agent-data.tsx b/plugins/main/public/controllers/register-agent/utils/register-agent-data.tsx index 378bf61d33..39d39d19bf 100644 --- a/plugins/main/public/controllers/register-agent/utils/register-agent-data.tsx +++ b/plugins/main/public/controllers/register-agent/utils/register-agent-data.tsx @@ -34,7 +34,7 @@ export const SERVER_ADDRESS_TEXTS = [ { title: 'Server address', subtitle: - 'This is the address the agent uses to communicate with the Wazuh server. Enter an IP address or a fully qualified domain name (FDQN).', + 'This is the address the agent uses to communicate with the server. Enter an IP address or a fully qualified domain name (FDQN).', }, ]; @@ -42,6 +42,6 @@ export const OPTIONAL_PARAMETERS_TEXT = [ { title: 'Optional settings', subtitle: - 'The deployment sets the endpoint hostname as the agent name by default. Optionally, you can set your own name in the field below.', + 'By default, the deployment uses the hostname as the agent name. Optionally, you can use a different agent name in the field below.', }, ]; diff --git a/plugins/main/public/templates/agents-prev/agents-prev.html b/plugins/main/public/templates/agents-prev/agents-prev.html index 573720fea4..a62bbe07ef 100644 --- a/plugins/main/public/templates/agents-prev/agents-prev.html +++ b/plugins/main/public/templates/agents-prev/agents-prev.html @@ -59,7 +59,7 @@ layout="column" layout-align="start space-around" > -
+