Add Wazuh-Elasticsearch

docker-compose.yml

@@ -3,7 +3,7 @@ version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.8.1_6.5.4
+    image: wazuh/wazuh:3.8.2_6.5.4
     hostname: wazuh-manager
     restart: always
     ports:
@@ -23,7 +23,7 @@ services:
     depends_on:
       - logstash
   logstash:
-    image: wazuh/wazuh-logstash:3.8.1_6.5.4
+    image: wazuh/wazuh-logstash:3.8.2_6.5.4
     hostname: logstash
     restart: always
 #    volumes:
@@ -39,7 +39,7 @@ services:
     environment:
       - LS_HEAP_SIZE=2048m
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
+    image: wazuh/wazuh-elasticsearch:3.8.2_6.5.4
     hostname: elasticsearch
     restart: always
     ports:
@@ -61,7 +61,7 @@ services:
     networks:
         - docker_elk
   kibana:
-    image: wazuh/wazuh-kibana:3.8.1_6.5.4
+    image: wazuh/wazuh-kibana:3.8.2_6.5.4
     hostname: kibana
     restart: always
 #    ports:
@@ -76,7 +76,7 @@ services:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
   nginx:
-    image: wazuh/wazuh-nginx:3.8.1_6.5.4
+    image: wazuh/wazuh-nginx:3.8.2_6.5.4
     hostname: nginx
     restart: always
     environment:

elasticsearch/Dockerfile

@@ -0,0 +1,23 @@
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/elasticsearch/elasticsearch:6.5.4
+
+ENV ALERTS_SHARDS="1" \
+    ALERTS_REPLICAS="0"
+
+ENV API_USER="foo" \
+    API_PASS="bar"
+
+ENV TEMPLATE_VERSION=v3.8.2
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/elasticsearch/config
+
+COPY config/entrypoint.sh /entrypoint.sh
+
+RUN chmod 755 /entrypoint.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
+
+RUN chmod +x ./load_settings.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["elasticsearch"]

elasticsearch/config/entrypoint.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# For more information https://github.com/elastic/elasticsearch-docker/blob/6.5.4/build/elasticsearch/bin/docker-entrypoint.sh
+
+set -e
+
+# Files created by Elasticsearch should always be group writable too
+umask 0002
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+# Run load settings script.
+
+./load_settings.sh &
+
+# Execute elasticsearch
+
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/load_settings.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+until curl -XGET $el_url; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "Elastic is up - executing command"
+
+#Insert default templates
+
+sed -i 's|    "index.refresh_interval": "5s"|    "index.refresh_interval": "5s",    "number_of_shards" :   '"${ALERTS_SHARDS}"',    "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-elastic6-template-alerts.json
+
+cat /usr/share/elasticsearch/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
+sleep 5
+
+
+API_PASS_Q=`echo "$API_PASS" | tr -d '"'`
+API_USER_Q=`echo "$API_USER" | tr -d '"'`
+API_PASSWORD=`echo -n $API_PASS_Q | base64`
+
+echo "Setting API credentials into Wazuh APP"
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
+if [ "x$CONFIG_CODE" = "x404" ]; then
+  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
+  {
+    "api_user": "'"$API_USER_Q"'",
+    "api_password": "'"$API_PASSWORD"'",
+    "url": "https://wazuh",
+    "api_port": "55000",
+    "insecure": "true",
+    "component": "API",
+    "cluster_info": {
+      "manager": "wazuh-manager",
+      "cluster": "Disabled",
+      "status": "disabled"
+    },
+    "extensions": {
+      "oscap": true,
+      "audit": true,
+      "pci": true,
+      "aws": true,
+      "virustotal": true,
+      "gdpr": true,
+      "ciscat": true
+    }
+  }
+  ' > /dev/null
+else
+  echo "Wazuh APP already configured"
+fi
+sleep 5
+
+curl -XPUT "$el_url/_cluster/settings" -H 'Content-Type: application/json' -d'
+{
+  "persistent": {
+    "xpack.monitoring.collection.enabled": true
+  }
+}
+'
+
+echo "Elasticsearch is ready."

kibana/Dockerfile

@@ -1,12 +1,10 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM docker.elastic.co/kibana/kibana:6.5.4
-ARG WAZUH_APP_VERSION=3.8.1_6.5.4
+ARG WAZUH_APP_VERSION=3.8.2_6.5.4
 USER root
 
 ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
-
 RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
     chown -R kibana:kibana /usr/share/kibana &&\
     rm -rf /tmp/*

kibana/config/entrypoint.sh

@@ -16,41 +16,6 @@ done
 
 >&2 echo "Elastic is up - executing command"
 
-#Insert default templates
-cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
-sleep 5
-
-echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "foo",
-    "api_password": "YmFy",
-    "url": "https://wazuh",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "Wazuh APP already configured"
-fi
-sleep 5
 
 ./wazuh_app_config.sh
 

wazuh/Dockerfile

@@ -1,8 +1,10 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
 ARG FILEBEAT_VERSION=6.5.4
-ARG WAZUH_VERSION=3.8.1-1
+ARG WAZUH_VERSION=3.8.2-1
 
+ENV API_USER="foo" \
+    API_PASS="bar"
 
 # Updating image
 RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"

wazuh/config/entrypoint.sh

@@ -129,4 +129,19 @@ do
   exec_cmd_stdout "${CUSTOM_COMMAND}"
 done
 
+
+##############################################################################
+# Change Wazuh API user credentials.
+##############################################################################
+
+
+pushd /var/ossec/api/configuration/auth/
+
+echo "Change Wazuh API user credentials"
+change_user="node htpasswd -b -c user $API_USER $API_PASS"
+eval $change_user
+
+popd
+
+
 /sbin/my_init