wazuh · asteriscos · Dec 13, 2023 · Nov 16, 2023 · Dec 5, 2023 · Dec 5, 2023
diff --git a/docker/images/wazuh-server-filebeat-sources-cmake/Dockerfile b/docker/images/wazuh-server-filebeat-sources-cmake/Dockerfile
@@ -0,0 +1,47 @@
+FROM ubuntu:18.04
+
+ARG WAZUH_VERSION
+ARG FILEBEAT_VERSION
+ARG FILEBEAT_WAZUH_TEMPLATE_URL
+ARG FILEBEAT_WAZUH_MODULE_URL
+
+COPY --chown=root:root preloaded-vars.conf supervisord.conf /tmp/
+COPY --chown=root:root entrypoint.sh /scripts/entrypoint.sh
+
+RUN apt-get update -y \
+    && apt-get -y install supervisor python git gnupg2 gcc make vim wget build-essential \
+        libc6-dev libc6-dev-mips64-cross curl policycoreutils automake autoconf libtool apt-transport-https lsb-release python-cryptography \
+    && wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | gpg --dearmor - | tee /etc/apt/trusted.gpg.d/kitware.gpg >/dev/null \
+    && echo "deb https://apt.kitware.com/ubuntu/ bionic main" | tee -a /etc/apt/sources.list.d/cmake.list \
+    && apt-get update -y \
+    && apt-get install cmake -y \
+    && rm -rf /var/lib/apt/lists/* \
+    && mkdir -p /var/log/supervisor \
+    && mv /tmp/supervisord.conf /etc/supervisor/conf.d/ \
+    && curl -Ls https://github.com/wazuh/wazuh/archive/$WAZUH_VERSION.tar.gz | tar zx \
+    && WAZUH_TMP_INSTALLER_DIRECTORY="/$(ls | grep wazuh)" \
+    && cp /tmp/preloaded-vars.conf $WAZUH_TMP_INSTALLER_DIRECTORY/etc/ \
+    && $WAZUH_TMP_INSTALLER_DIRECTORY/install.sh \
+    && rm -rf $WAZUH_TMP_INSTALLER_DIRECTORY \
+    && curl -so /tmp/filebeat-installer.deb https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-$FILEBEAT_VERSION-amd64.deb \
+    && dpkg -i /tmp/filebeat-installer.deb \
+    && curl -so /etc/filebeat/wazuh-template.json $FILEBEAT_WAZUH_TEMPLATE_URL \
+    && curl -s $FILEBEAT_WAZUH_MODULE_URL | tar -xvz -C /usr/share/filebeat/module
+
+ENTRYPOINT /scripts/entrypoint.sh
+
+WORKDIR /var/ossec
+
+EXPOSE 514
+EXPOSE 1514
+EXPOSE 1515
+EXPOSE 1516
+EXPOSE 55000
+
+### Variables ###
+
+## Arguments
+# WAZUH_VERSION - Define the Wazuh branch/tag to install. [WAZUH_VERSION=4.1.0]
+# FILEBEAT_VERSION - Filebeat Version
+# FILEBEAT_WAZUH_TEMPLATE_URL - Link with the Wazuh template. [FILEBEAT_WAZUH_TEMPLATE_URL=https://raw.githubusercontent.com/wazuh/wazuh/4.0/extensions/elasticsearch/7.x/wazuh-template.json]
+# FILEBEAT_WAZUH_MODULE_URL - Link with the Wazuh Filebeat module. [FILEBEAT_WAZUH_MODULE_URL=https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz]
diff --git a/docker/images/wazuh-server-filebeat-sources-cmake/entrypoint.sh b/docker/images/wazuh-server-filebeat-sources-cmake/entrypoint.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+WITNESS_FILE_PATH=/tmp/wazuh_configurated
+
+NODE_IP="${NODE_IP:-$1}"
+NODE_NAME="${NODE_NAME:-$2}"
+NODE_TYPE="${NODE_TYPE:-$3}"
+NODE_KEY="${NODE_KEY:-9d273b53510fef702b54a92e9cffc82e}"
+CLUSTER_NAME="${CLUSTER_NAME:-wazuh}"
+CLUSTER_DISABLED="${CLUSTER_DISABLED:-no}"
+
+if [ ! -f $WITNESS_FILE_PATH ]; then
+    # Set right permissions for test_config data
+    chown root:wazuh /var/ossec/etc/ossec.conf
+    chown root:wazuh /var/ossec/etc/client.keys
+    chown -R wazuh:wazuh /var/ossec/queue/agent-groups
+    chown -R wazuh:wazuh /var/ossec/etc/shared
+    chown root:wazuh /var/ossec/etc/shared/ar.conf
+    chown -R wazuh:wazuh /var/ossec/queue/agent-info
+
+    # Modify ossec.conf
+    sed -i "s:<key></key>:<key>$NODE_KEY</key>:g" /var/ossec/etc/ossec.conf
+    sed -i "s:<node>NODE_IP</node>:<node>$NODE_IP</node>:g" /var/ossec/etc/ossec.conf
+    sed -i "s:<name>wazuh</name>:<name>$CLUSTER_NAME</name>:g" /var/ossec/etc/ossec.conf
+    sed -i -e "/<cluster>/,/<\/cluster>/ s|<disabled>[a-z]\+</disabled>|<disabled>$CLUSTER_DISABLED</disabled>|g" /var/ossec/etc/ossec.conf
+    sed -i "s:<node_name>node01</node_name>:<node_name>$NODE_NAME</node_name>:g" /var/ossec/etc/ossec.conf
+    sed -i "s:<node_type>master</node_type>:<node_type>$NODE_TYPE</node_type>:g" /var/ossec/etc/ossec.conf
+
+    # Create a witness file
+    touch $WITNESS_FILE_PATH
+fi
+
+chown root: /etc/filebeat/filebeat.yml
+chmod go-w /etc/filebeat/filebeat.yml
+
+service filebeat start
+
+sleep 1
+
+service wazuh-manager restart
+/var/ossec/bin/wazuh-apid restart
+
+/usr/bin/supervisord
diff --git a/docker/images/wazuh-server-filebeat-sources-cmake/preloaded-vars.conf b/docker/images/wazuh-server-filebeat-sources-cmake/preloaded-vars.conf
@@ -0,0 +1,12 @@
+USER_LANGUAGE="en"
+USER_NO_STOP="y"
+USER_INSTALL_TYPE="server"
+USER_DIR="/var/ossec"
+USER_ENABLE_EMAIL="n"
+USER_ENABLE_SYSCHECK="y"
+USER_ENABLE_ROOTCHECK="y"
+USER_ENABLE_OPENSCAP="y"
+USER_WHITE_LIST="n"
+USER_ENABLE_SYSLOG="y"
+USER_ENABLE_AUTHD="y"
+USER_AUTO_START="y"
diff --git a/docker/images/wazuh-server-filebeat-sources-cmake/supervisord.conf b/docker/images/wazuh-server-filebeat-sources-cmake/supervisord.conf
@@ -0,0 +1,4 @@
+[supervisord]
+logfile=/supervisord.log
+pidfile=/var/run/supervisord.pid
+nodaemon=true
diff --git a/docker/osd-dev/config/1.x/filebeat/filebeat.server.yml b/docker/osd-dev/config/1.x/filebeat/filebeat.server.yml
@@ -0,0 +1,21 @@
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false
+
+setup.template.json.enabled: true
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
+setup.template.overwrite: true
+setup.ilm.enabled: false
+output.elasticsearch:
+  hosts: ['https://os1:9200']
+  username: 'admin'
+  password: 'admin'
+  ssl.verification_mode: full
+  ssl.certificate_authorities: ['/etc/ssl/elastic/ca.pem']
+  ssl.certificate: '/etc/ssl/elastic/filebeat.pem'
+  ssl.key: '/etc/ssl/elastic/filebeat-key.pem'
diff --git a/docker/osd-dev/config/1.x/osd/wazuh.yml b/docker/osd-dev/config/1.x/osd/wazuh.yml
@@ -1,18 +1,18 @@
 hosts:
   - manager:
-      url: "https://wazuh.manager"
+      url: 'https://wazuh.manager'
       port: 55000
       username: wazuh-wui
-      password: MyS3cr37P450r.*-
+      password: wazuh-wui
       run_as: false
   - imposter:
-      url: "http://imposter"
+      url: 'http://imposter'
       port: 8080
       username: wazuh-wui
       password: MyS3cr37P450r.*-
       run_as: false
   - imposter-cli:
-      url: "http://<ip-local>"
+      url: 'http://<ip-local>'
       port: 8080
       username: wazuh-wui
       password: MyS3cr37P450r.*-

diff --git a/docker/osd-dev/config/2.x/filebeat/filebeat.server.yml b/docker/osd-dev/config/2.x/filebeat/filebeat.server.yml
@@ -0,0 +1,21 @@
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false
+
+setup.template.json.enabled: true
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
+setup.template.overwrite: true
+setup.ilm.enabled: false
+output.elasticsearch:
+  hosts: ['https://os1:9200']
+  username: 'admin'
+  password: 'admin'
+  ssl.verification_mode: full
+  ssl.certificate_authorities: ['/etc/ssl/elastic/ca.pem']
+  ssl.certificate: '/etc/ssl/elastic/filebeat.pem'
+  ssl.key: '/etc/ssl/elastic/filebeat-key.pem'
diff --git a/docker/osd-dev/config/2.x/osd/wazuh.yml b/docker/osd-dev/config/2.x/osd/wazuh.yml
@@ -1,18 +1,18 @@
 hosts:
   - manager:
-      url: "https://wazuh.manager"
+      url: 'https://wazuh.manager'
       port: 55000
       username: wazuh-wui
-      password: MyS3cr37P450r.*-
+      password: wazuh-wui
       run_as: false
   - imposter:
-      url: "http://imposter"
+      url: 'http://imposter'
       port: 8080
       username: wazuh-wui
       password: MyS3cr37P450r.*-
       run_as: false
   - imposter-cli:
-      url: "http://<ip-local>"
+      url: 'http://<ip-local>'
       port: 8080
       username: wazuh-wui
       password: MyS3cr37P450r.*-

diff --git a/docker/osd-dev/dev.env b/docker/osd-dev/dev.env
@@ -0,0 +1,6 @@
+# Wazuh server
+# WAZUH_VERSION defines the branch or tag to build the Wazuh server from sources
+# WAZUH_VERSION=<branch/tag>
+# Example:
+# WAZUH_VERSION=4.7.2
+WAZUH_VERSION=4.7.2
diff --git a/docker/osd-dev/dev.sh b/docker/osd-dev/dev.sh
@@ -22,20 +22,22 @@ osd_versions=(
   '2.4.0'
   '2.4.1'
   '2.6.0'
+  '2.8.0'
   '4.6.0'
   '4.7.0'
 )
 
 usage() {
   echo
-  echo "./dev.sh os_version osd_version /wazuh_app_src action [saml]"
+  echo "./dev.sh os_version osd_version /wazuh_app_src action [saml/server]"
   echo
   echo "where"
   echo "  os_version is one of " ${os_versions[*]}
   echo "  osd_version is one of " ${osd_versions[*]}
   echo "  wazuh_app_src is the path to the wazuh application source code"
   echo "  action is one of up | down | stop"
   echo "  saml to deploy a saml enabled environment"
+  echo "  server to deploy a real server enabled environment"
   exit -1
 }
 
@@ -96,6 +98,10 @@ if [[ "$5" =~ "saml" ]]; then
   export SEC_CONFIG_FILE=./config/${OSD_MAJOR}/os/config-saml.yml
 fi
 
+if [[ "$5" =~ "server" ]]; then
+  profile="server"
+fi
+
 export SEC_CONFIG_PATH=/usr/share/opensearch/plugins/opensearch-security/securityconfig
 if [[ "$OSD_MAJOR" == "2.x" ]]; then
   export SEC_CONFIG_PATH=/usr/share/opensearch/config/opensearch-security
@@ -104,13 +110,34 @@ fi
 case "$4" in
 up)
   /bin/bash ../scripts/create_docker_networks.sh
-  docker compose --profile $profile -f dev.yml up -Vd
+  docker compose --profile $profile --env-file dev.env -f dev.yml up -Vd
+
+  # Display a command to deploy an agent when using the real server
+  if [[ "$5" =~ "server" ]]; then
+    echo
+    echo "**************WARNING**************"
+    echo "The agent version must be a published one. This uses only released versions."
+    echo "If you need to change de version, edit the command as you see fit."
+    echo "***********************************"
+    echo "1. (Optional) Enroll an agent (Ubuntu 20.04):"
+    echo "docker run --name ${COMPOSE_PROJECT_NAME}-agent-\$(date +%s) --network os-dev-${OS_VERSION} --label com.docker.compose.project=${COMPOSE_PROJECT_NAME} --env WAZUH_AGENT_VERSION=$(grep "^WAZUH_VERSION=" dev.env | sed "s|WAZUH_VERSION=||") -d ubuntu:20.04 bash -c '"
+    echo "  apt update -y"
+    echo "  apt install -y curl lsb-release"
+    echo "  curl -so \wazuh-agent-\${WAZUH_AGENT_VERSION}.deb \\"
+    echo "    https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_\${WAZUH_AGENT_VERSION}-1_amd64.deb \\"
+    echo "    && WAZUH_MANAGER='wazuh.manager' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-\${WAZUH_AGENT_VERSION}.deb"
+    echo
+    echo "  /etc/init.d/wazuh-agent start"
+    echo "  tail -f /var/ossec/logs/ossec.log"
+    echo "'"
+    echo
+  fi
   ;;
 down)
-  docker compose --profile $profile -f dev.yml down -v --remove-orphans
+  docker compose --profile $profile --env-file dev.env -f dev.yml down -v --remove-orphans
   ;;
 stop)
-  docker compose --profile $profile -f dev.yml -p ${COMPOSE_PROJECT_NAME} stop
+  docker compose --profile $profile --env-file dev.env -f dev.yml -p ${COMPOSE_PROJECT_NAME} stop
   ;;
 *)
   echo "Action must be up | down | stop: "