From 84fe19e86823564acca1144c927cf58752fb9309 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Wed, 24 Nov 2021 17:01:09 +0100 Subject: [PATCH 1/3] Bumped to 4.4.0 --- .goss.yaml | 2 +- CHANGELOG.md | 5 +++++ README.md | 1 + VERSION | 4 ++-- docker-compose.yml | 4 ++-- kibana-odfe/Dockerfile | 2 +- kibana/Dockerfile | 2 +- production-cluster.yml | 6 +++--- production_cluster/wazuh_cluster/wazuh_manager.conf | 4 ++-- production_cluster/wazuh_cluster/wazuh_worker.conf | 4 ++-- wazuh-odfe/Dockerfile | 2 +- xpack-compose.yml | 4 ++-- xpack-from-sources.yml | 4 ++-- 13 files changed, 25 insertions(+), 19 deletions(-) diff --git a/.goss.yaml b/.goss.yaml index 292c1a66..769fbcbb 100644 --- a/.goss.yaml +++ b/.goss.yaml @@ -56,7 +56,7 @@ package: wazuh-manager: installed: true versions: - - 4.3.0 + - 4.4.0 port: tcp:1514: listening: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e6992ca..d72fdf60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Change Log All notable changes to this project will be documented in this file. +## Wazuh Docker v4.4.0 +### Added + +- Update Wazuh to version [4.4.0](https://github.com/wazuh/wazuh/blob/v4.4.0/CHANGELOG.md#v440) + ## Wazuh Docker v4.3.0 ### Added diff --git a/README.md b/README.md index a411ec5b..ba73ed84 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,7 @@ ADMIN_PRIVILEGES=true # App privileges | Wazuh version | ODFE | XPACK | |---------------|---------|--------| +| v4.4.0 | 1.13.2 | 7.11.2 | | v4.3.0 | 1.13.2 | 7.11.2 | | v4.2.5 | 1.13.2 | 7.11.2 | | v4.2.4 | 1.13.2 | 7.11.2 | diff --git a/VERSION b/VERSION index 5fedc35e..1b8da5ba 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="4.3.0" -REVISION="43100" +WAZUH-DOCKER_VERSION="4.4.0" +REVISION="40400" diff --git a/docker-compose.yml b/docker-compose.yml index 2b12af30..e7ed2f7d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh: - image: wazuh/wazuh-odfe:4.3.0 + image: wazuh/wazuh-odfe:4.4.0 hostname: wazuh-manager restart: always ports: @@ -50,7 +50,7 @@ services: hard: 65536 kibana: - image: wazuh/wazuh-kibana-odfe:4.3.0 + image: wazuh/wazuh-kibana-odfe:4.4.0 hostname: kibana restart: always ports: diff --git a/kibana-odfe/Dockerfile b/kibana-odfe/Dockerfile index 1d304341..d133d140 100644 --- a/kibana-odfe/Dockerfile +++ b/kibana-odfe/Dockerfile @@ -2,7 +2,7 @@ FROM amazon/opendistro-for-elasticsearch-kibana:1.13.2 USER kibana ARG ELASTIC_VERSION=7.10.2 -ARG WAZUH_VERSION=4.3.0 +ARG WAZUH_VERSION=4.4.0 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana diff --git a/kibana/Dockerfile b/kibana/Dockerfile index d98443ae..d0a17f71 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -2,7 +2,7 @@ FROM docker.elastic.co/kibana/kibana:7.10.2 USER kibana ARG ELASTIC_VERSION=7.10.2 -ARG WAZUH_VERSION=4.3.0 +ARG WAZUH_VERSION=4.4.0 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana diff --git a/production-cluster.yml b/production-cluster.yml index df0d2250..64502411 100644 --- a/production-cluster.yml +++ b/production-cluster.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh-master: - image: wazuh/wazuh-odfe:4.3.0 + image: wazuh/wazuh-odfe:4.4.0 hostname: wazuh-master restart: always ports: @@ -38,7 +38,7 @@ services: - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf wazuh-worker: - image: wazuh/wazuh-odfe:4.3.0 + image: wazuh/wazuh-odfe:4.4.0 hostname: wazuh-worker restart: always environment: @@ -134,7 +134,7 @@ services: - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml kibana: - image: wazuh/wazuh-kibana-odfe:4.3.0 + image: wazuh/wazuh-kibana-odfe:4.4.0 hostname: kibana restart: always ports: diff --git a/production_cluster/wazuh_cluster/wazuh_manager.conf b/production_cluster/wazuh_cluster/wazuh_manager.conf index 38a180d6..e24dd77f 100644 --- a/production_cluster/wazuh_cluster/wazuh_manager.conf +++ b/production_cluster/wazuh_cluster/wazuh_manager.conf @@ -200,8 +200,8 @@ 127.0.0.1 ^localhost.localdomain$ - 4.3.0.1 - 4.3.0.2 + 4.4.0.1 + 4.4.0.2 208.67.220.220 diff --git a/production_cluster/wazuh_cluster/wazuh_worker.conf b/production_cluster/wazuh_cluster/wazuh_worker.conf index bc0bbb8d..1c17cac7 100644 --- a/production_cluster/wazuh_cluster/wazuh_worker.conf +++ b/production_cluster/wazuh_cluster/wazuh_worker.conf @@ -200,8 +200,8 @@ 127.0.0.1 ^localhost.localdomain$ - 4.3.0.1 - 4.3.0.2 + 4.4.0.1 + 4.4.0.2 208.67.220.220 diff --git a/wazuh-odfe/Dockerfile b/wazuh-odfe/Dockerfile index 73cb6034..051c520c 100644 --- a/wazuh-odfe/Dockerfile +++ b/wazuh-odfe/Dockerfile @@ -3,7 +3,7 @@ FROM centos:7 ARG FILEBEAT_CHANNEL=filebeat-oss ARG FILEBEAT_VERSION=7.10.2 -ARG WAZUH_VERSION=4.3.0-1 +ARG WAZUH_VERSION=4.4.0-1 ARG TEMPLATE_VERSION="master" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" diff --git a/xpack-compose.yml b/xpack-compose.yml index f741a7ce..8fdb12e7 100644 --- a/xpack-compose.yml +++ b/xpack-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh: - image: wazuh/wazuh:4.3.0 + image: wazuh/wazuh:4.4.0 hostname: wazuh-manager restart: always ports: @@ -146,7 +146,7 @@ services: kibana: - image: wazuh/wazuh-kibana:4.3.0 + image: wazuh/wazuh-kibana:4.4.0 hostname: kibana restart: always ports: diff --git a/xpack-from-sources.yml b/xpack-from-sources.yml index 922eee93..ff5fb355 100644 --- a/xpack-from-sources.yml +++ b/xpack-from-sources.yml @@ -8,7 +8,7 @@ services: args: - FILEBEAT_CHANNEL=filebeat - FILEBEAT_VERSION=7.11.2 - image: wazuh/wazuh:4.3.0 + image: wazuh/wazuh:4.4.0 hostname: wazuh-manager restart: always ports: @@ -152,7 +152,7 @@ services: kibana: build: kibana/ - image: wazuh/wazuh-kibana:4.3.0 + image: wazuh/wazuh-kibana:4.4.0 hostname: kibana restart: always ports: From 39d01d51b1a6dcc2006f46c2e81c3f47efdc887c Mon Sep 17 00:00:00 2001 From: gx1 Date: Fri, 28 Jan 2022 19:04:36 +0100 Subject: [PATCH 2/3] Templating production_cluster folder --- .gitignore | 1 + README.md | 6 + .../elasticsearch-node1.yml | 31 ++ .../elasticsearch-node2.yml | 31 ++ .../elasticsearch-node3.yml | 31 ++ .../elastic_opendistro/internal_users.yml | 56 +++ .../kibana_ssl/generate-self-signed-cert.sh | 13 + production_cluster.tpl/nginx/nginx.conf | 67 ++++ .../nginx/ssl/generate-self-signed-cert.sh | 12 + production_cluster.tpl/ssl_certs/certs.yml | 35 ++ .../wazuh_cluster/wazuh_manager.conf | 349 ++++++++++++++++++ .../wazuh_cluster/wazuh_worker.conf | 349 ++++++++++++++++++ 12 files changed, 981 insertions(+) create mode 100644 .gitignore create mode 100644 production_cluster.tpl/elastic_opendistro/elasticsearch-node1.yml create mode 100644 production_cluster.tpl/elastic_opendistro/elasticsearch-node2.yml create mode 100644 production_cluster.tpl/elastic_opendistro/elasticsearch-node3.yml create mode 100644 production_cluster.tpl/elastic_opendistro/internal_users.yml create mode 100644 production_cluster.tpl/kibana_ssl/generate-self-signed-cert.sh create mode 100644 production_cluster.tpl/nginx/nginx.conf create mode 100644 production_cluster.tpl/nginx/ssl/generate-self-signed-cert.sh create mode 100644 production_cluster.tpl/ssl_certs/certs.yml create mode 100644 production_cluster.tpl/wazuh_cluster/wazuh_manager.conf create mode 100644 production_cluster.tpl/wazuh_cluster/wazuh_worker.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..ef5aafaf --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +production_cluster \ No newline at end of file diff --git a/README.md b/README.md index ba73ed84..4579c25d 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,12 @@ In addition, a docker-compose file is provided to launch the containers mentione * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html) * [Docker hub](https://hub.docker.com/u/wazuh) +To start, just copy the `production_cluster.tpl` template directory: +``` +cp -r production_cluster.tpl production_cluster +``` +and follow the documentation to run the Wazuh stack. + ### Setup SSL certificate diff --git a/production_cluster.tpl/elastic_opendistro/elasticsearch-node1.yml b/production_cluster.tpl/elastic_opendistro/elasticsearch-node1.yml new file mode 100644 index 00000000..4f9a628d --- /dev/null +++ b/production_cluster.tpl/elastic_opendistro/elasticsearch-node1.yml @@ -0,0 +1,31 @@ +network.host: 0.0.0.0 +cluster.name: wazuh-cluster +node.name: elasticsearch +discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3 +cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3 +bootstrap.memory_lock: true + +opendistro_security.ssl.transport.pemcert_filepath: node1.pem +opendistro_security.ssl.transport.pemkey_filepath: node1.key +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.transport.resolve_hostname: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: node1.pem +opendistro_security.ssl.http.pemkey_filepath: node1.key +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.allow_default_init_securityindex: true +opendistro_security.nodes_dn: + - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com' +opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com'] +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +#opendistro_security.audit.config.disabled_rest_categories: NONE +#opendistro_security.audit.config.disabled_transport_categories: NONE +opendistro_security.audit.log_request_body: false diff --git a/production_cluster.tpl/elastic_opendistro/elasticsearch-node2.yml b/production_cluster.tpl/elastic_opendistro/elasticsearch-node2.yml new file mode 100644 index 00000000..e368461e --- /dev/null +++ b/production_cluster.tpl/elastic_opendistro/elasticsearch-node2.yml @@ -0,0 +1,31 @@ +network.host: 0.0.0.0 +cluster.name: wazuh-cluster +node.name: elasticsearch-2 +discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3 +cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3 +bootstrap.memory_lock: true + +opendistro_security.ssl.transport.pemcert_filepath: node2.pem +opendistro_security.ssl.transport.pemkey_filepath: node2.key +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.transport.resolve_hostname: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: node2.pem +opendistro_security.ssl.http.pemkey_filepath: node2.key +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.allow_default_init_securityindex: true +opendistro_security.nodes_dn: + - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com' +opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com'] +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +#opendistro_security.audit.config.disabled_rest_categories: NONE +#opendistro_security.audit.config.disabled_transport_categories: NONE +opendistro_security.audit.log_request_body: false diff --git a/production_cluster.tpl/elastic_opendistro/elasticsearch-node3.yml b/production_cluster.tpl/elastic_opendistro/elasticsearch-node3.yml new file mode 100644 index 00000000..14717a81 --- /dev/null +++ b/production_cluster.tpl/elastic_opendistro/elasticsearch-node3.yml @@ -0,0 +1,31 @@ +network.host: 0.0.0.0 +cluster.name: wazuh-cluster +node.name: elasticsearch-3 +discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3 +cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3 +bootstrap.memory_lock: true + +opendistro_security.ssl.transport.pemcert_filepath: node3.pem +opendistro_security.ssl.transport.pemkey_filepath: node3.key +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.transport.resolve_hostname: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: node3.pem +opendistro_security.ssl.http.pemkey_filepath: node3.key +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.allow_default_init_securityindex: true +opendistro_security.nodes_dn: + - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com' + - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com' +opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com'] +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +#opendistro_security.audit.config.disabled_rest_categories: NONE +#opendistro_security.audit.config.disabled_transport_categories: NONE +opendistro_security.audit.log_request_body: false diff --git a/production_cluster.tpl/elastic_opendistro/internal_users.yml b/production_cluster.tpl/elastic_opendistro/internal_users.yml new file mode 100644 index 00000000..d9f05b34 --- /dev/null +++ b/production_cluster.tpl/elastic_opendistro/internal_users.yml @@ -0,0 +1,56 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" diff --git a/production_cluster.tpl/kibana_ssl/generate-self-signed-cert.sh b/production_cluster.tpl/kibana_ssl/generate-self-signed-cert.sh new file mode 100644 index 00000000..5951acf7 --- /dev/null +++ b/production_cluster.tpl/kibana_ssl/generate-self-signed-cert.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +cd $DIR + +if [ -s key.pem ] +then + echo "Certificate already exists" + exit +else + openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem + chown -R 1000:1000 *.pem +fi diff --git a/production_cluster.tpl/nginx/nginx.conf b/production_cluster.tpl/nginx/nginx.conf new file mode 100644 index 00000000..8cd13ca2 --- /dev/null +++ b/production_cluster.tpl/nginx/nginx.conf @@ -0,0 +1,67 @@ +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + + keepalive_timeout 65; + + server_tokens off; + gzip on; + + # kibana UI + server { + listen 80; + listen [::]:80; + return 301 https://$host:443$request_uri; + } + + server { + listen 443 default_server ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + location / { + proxy_pass https://kibana:5601/; + proxy_ssl_verify off; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + } + } + +} + + + +# load balancer for Wazuh cluster +stream { + upstream mycluster { + hash $remote_addr consistent; + server wazuh-master:1514; + server wazuh-worker:1514; + } + server { + listen 1514; + proxy_pass mycluster; + } +} diff --git a/production_cluster.tpl/nginx/ssl/generate-self-signed-cert.sh b/production_cluster.tpl/nginx/ssl/generate-self-signed-cert.sh new file mode 100644 index 00000000..e006733f --- /dev/null +++ b/production_cluster.tpl/nginx/ssl/generate-self-signed-cert.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +cd $DIR + +if [ -s key.pem ] +then + echo "Certificate already exists" + exit +else + openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem +fi diff --git a/production_cluster.tpl/ssl_certs/certs.yml b/production_cluster.tpl/ssl_certs/certs.yml new file mode 100644 index 00000000..486e4178 --- /dev/null +++ b/production_cluster.tpl/ssl_certs/certs.yml @@ -0,0 +1,35 @@ +ca: + root: + dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com + pkPassword: none + keysize: 2048 + file: root-ca.pem + intermediate: + dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com + keysize: 2048 + validityDays: 3650 + pkPassword: intermediate-ca-password + file: intermediate-ca.pem + +nodes: + - name: node1 + dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com + dns: + - elasticsearch + - name: node2 + dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com + dns: + - elasticsearch-2 + - name: node3 + dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com + dns: + - elasticsearch-3 + - name: filebeat + dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com + dns: + - wazuh + +clients: + - name: admin + dn: CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com + admin: true diff --git a/production_cluster.tpl/wazuh_cluster/wazuh_manager.conf b/production_cluster.tpl/wazuh_cluster/wazuh_manager.conf new file mode 100644 index 00000000..e24dd77f --- /dev/null +++ b/production_cluster.tpl/wazuh_cluster/wazuh_manager.conf @@ -0,0 +1,349 @@ + + + yes + yes + no + no + no + smtp.example.wazuh.com + wazuh@example.wazuh.com + recipient@example.wazuh.com + 12 + alerts.log + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt + + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + yes + yes + 12h + yes + + + + no + 5m + 6h + yes + + + + no + trusty + xenial + bionic + focal + 1h + + + + + no + stretch + buster + 1h + + + + + no + 5 + 6 + 7 + 8 + 1h + + + + + yes + 1h + + + + + yes + 2010 + 1h + + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + .log$|.swp$ + + + /etc/ssl/private.key + + yes + yes + yes + yes + + + 10 + + + 100 + + + + yes + 5m + 1h + 10 + + + + + + 127.0.0.1 + ^localhost.localdomain$ + 4.4.0.1 + 4.4.0.2 + 208.67.220.220 + + + + disable-account + disable-account.sh + user + yes + + + + restart-ossec + restart-ossec.sh + + + + + firewall-drop + firewall-drop.sh + srcip + yes + + + + host-deny + host-deny.sh + srcip + yes + + + + route-null + route-null.sh + srcip + yes + + + + win_route-null + route-null.cmd + srcip + yes + + + + win_route-null-2012 + route-null-2012.cmd + srcip + yes + + + + netsh + netsh.cmd + srcip + yes + + + + netsh-win-2016 + netsh-win-2016.cmd + srcip + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + + + no + 1515 + no + yes + 0 + yes + no + yes + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + /var/ossec/etc/sslmanager.cert + /var/ossec/etc/sslmanager.key + no + + + + wazuh + manager + master + c98b6ha9b6169zc5f67rae55ae4z5647 + 1516 + 0.0.0.0 + + wazuh-master + + no + no + + + + + + + syslog + /var/ossec/logs/active-responses.log + + diff --git a/production_cluster.tpl/wazuh_cluster/wazuh_worker.conf b/production_cluster.tpl/wazuh_cluster/wazuh_worker.conf new file mode 100644 index 00000000..1c17cac7 --- /dev/null +++ b/production_cluster.tpl/wazuh_cluster/wazuh_worker.conf @@ -0,0 +1,349 @@ + + + yes + yes + no + no + no + smtp.example.wazuh.com + wazuh@example.wazuh.com + recipient@example.wazuh.com + 12 + alerts.log + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt + + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + yes + yes + 12h + yes + + + + no + 5m + 6h + yes + + + + no + trusty + xenial + bionic + focal + 1h + + + + + no + stretch + buster + 1h + + + + + no + 5 + 6 + 7 + 8 + 1h + + + + + yes + 1h + + + + + yes + 2010 + 1h + + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + .log$|.swp$ + + + /etc/ssl/private.key + + yes + yes + yes + yes + + + 10 + + + 100 + + + + yes + 5m + 1h + 10 + + + + + + 127.0.0.1 + ^localhost.localdomain$ + 4.4.0.1 + 4.4.0.2 + 208.67.220.220 + + + + disable-account + disable-account.sh + user + yes + + + + restart-ossec + restart-ossec.sh + + + + + firewall-drop + firewall-drop.sh + srcip + yes + + + + host-deny + host-deny.sh + srcip + yes + + + + route-null + route-null.sh + srcip + yes + + + + win_route-null + route-null.cmd + srcip + yes + + + + win_route-null-2012 + route-null-2012.cmd + srcip + yes + + + + netsh + netsh.cmd + srcip + yes + + + + netsh-win-2016 + netsh-win-2016.cmd + srcip + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + + + no + 1515 + no + yes + 0 + yes + no + yes + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + /var/ossec/etc/sslmanager.cert + /var/ossec/etc/sslmanager.key + no + + + + wazuh + worker01 + worker + c98b6ha9b6169zc5f67rae55ae4z5647 + 1516 + 0.0.0.0 + + wazuh-master + + no + no + + + + + + + syslog + /var/ossec/logs/active-responses.log + + From 1d9de8e0e29b92a70ab0627d6e673663e67e67c5 Mon Sep 17 00:00:00 2001 From: gx1 Date: Fri, 28 Jan 2022 19:36:43 +0100 Subject: [PATCH 3/3] Added makefile --- Makefile | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 18 ++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..f9a3a9eb --- /dev/null +++ b/Makefile @@ -0,0 +1,53 @@ +DEV_STACK = docker-compose.yml +PROD_STACK = production-cluster.yml +BUILD_STACK = build-from-sources.yml +CERT_STACK = generate-opendistro-certs.yml +PROD_DIR = production_cluster +SSL_DIR = $(PROD_DIR)/ssl_certs +NGINX_SSL = $(PROD_DIR)/nginx/ssl +KIBANA_SSL = $(PROD_DIR)/kibana_ssl/ + +DEFAULT_FLAGS = -d --remove-orphans +COMPOSE = docker-compose + + +images-build: + $(COMPOSE) -f $(BUILD_STACK) up + + +certs-create: prod-stop + $(COMPOSE) -f $(CERT_STACK) run --rm generator + bash $(NGINX_SSL)/generate-self-signed-cert.sh + bash $(KIBANA_SSL)/generate-self-signed-cert.sh + +dev-up: + $(COMPOSE) up $(DEFAULT_FLAGS) + +dev-down: + $(COMPOSE) down + +prod-elk-run: + $(COMPOSE) -f $(PROD_STACK) up elasticsearch elasticsearch-2 elasticsearch-3 $(DEFAULT_FLAGS) + +prod-kibana-run: + $(COMPOSE) -f $(PROD_STACK) up kibana $(DEFAULT_FLAGS) + +prod-nginx-run: + $(COMPOSE) -f $(PROD_STACK) up nginx $(DEFAULT_FLAGS) + +prod-run: + $(COMPOSE) -f $(PROD_STACK) up $(DEFAULT_FLAGS) + +prod-up: + $(COMPOSE) -f $(PROD_STACK) up $(DEFAULT_FLAGS) + +prod-stop: + $(COMPOSE) -f $(PROD_STACK) stop + +prod-down: + $(COMPOSE) -f $(PROD_STACK) down + +certs-clean: prod-stop + rm -f $(SSL_DIR)/admin* $(SSL_DIR)/node* $(SSL_DIR)/root* $(SSL_DIR)/filebeat* $(SSL_DIR)/intermediate* $(SSL_DIR)/client-cert* + +clean: certs-clean dev-down prod-down \ No newline at end of file diff --git a/README.md b/README.md index 4579c25d..48e0db37 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,24 @@ cp -r production_cluster.tpl production_cluster ``` and follow the documentation to run the Wazuh stack. +### Usage through make +You can use `Makefile` to run the stack: + +* build images: `make images-build` +* run dev stack: `make dev-up` +* stop dev stack: `make dev-down` +* creates certificates: `make certs-create` +* run prod elastic nodes: `make prod-elk-run` +* run prod kibana: `make prod-kibana-run` +* run prod nginx: `make prod-nginx-run` +* run prod stack: `make prod-run` +* stop prod stack: `make prod-stop` +* destroy prod stack: `make prod-down` +* clean generated certificates : `make certs-clean` +* clean the stack: `make clean` + +To try `wazuh`, just run `make dev-up`. +To run `wazuh`in production, creates certificates (`make certs-create`) and run prod stack (`make prod-run`) ### Setup SSL certificate