diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..ef5aafaf
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+production_cluster
\ No newline at end of file
diff --git a/.goss.yaml b/.goss.yaml
index 292c1a66..769fbcbb 100644
--- a/.goss.yaml
+++ b/.goss.yaml
@@ -56,7 +56,7 @@ package:
wazuh-manager:
installed: true
versions:
- - 4.3.0
+ - 4.4.0
port:
tcp:1514:
listening: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6e6992ca..d72fdf60 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,11 @@
# Change Log
All notable changes to this project will be documented in this file.
+## Wazuh Docker v4.4.0
+### Added
+
+- Update Wazuh to version [4.4.0](https://github.com/wazuh/wazuh/blob/v4.4.0/CHANGELOG.md#v440)
+
## Wazuh Docker v4.3.0
### Added
diff --git a/README.md b/README.md
index a411ec5b..4579c25d 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,12 @@ In addition, a docker-compose file is provided to launch the containers mentione
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
* [Docker hub](https://hub.docker.com/u/wazuh)
+To start, just copy the `production_cluster.tpl` template directory:
+```
+cp -r production_cluster.tpl production_cluster
+```
+and follow the documentation to run the Wazuh stack.
+
### Setup SSL certificate
@@ -153,6 +159,7 @@ ADMIN_PRIVILEGES=true # App privileges
| Wazuh version | ODFE | XPACK |
|---------------|---------|--------|
+| v4.4.0 | 1.13.2 | 7.11.2 |
| v4.3.0 | 1.13.2 | 7.11.2 |
| v4.2.5 | 1.13.2 | 7.11.2 |
| v4.2.4 | 1.13.2 | 7.11.2 |
diff --git a/VERSION b/VERSION
index 5fedc35e..1b8da5ba 100644
--- a/VERSION
+++ b/VERSION
@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="4.3.0"
-REVISION="43100"
+WAZUH-DOCKER_VERSION="4.4.0"
+REVISION="40400"
diff --git a/docker-compose.yml b/docker-compose.yml
index 2b12af30..e7ed2f7d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ version: '3.7'
services:
wazuh:
- image: wazuh/wazuh-odfe:4.3.0
+ image: wazuh/wazuh-odfe:4.4.0
hostname: wazuh-manager
restart: always
ports:
@@ -50,7 +50,7 @@ services:
hard: 65536
kibana:
- image: wazuh/wazuh-kibana-odfe:4.3.0
+ image: wazuh/wazuh-kibana-odfe:4.4.0
hostname: kibana
restart: always
ports:
diff --git a/kibana-odfe/Dockerfile b/kibana-odfe/Dockerfile
index 1d304341..d133d140 100644
--- a/kibana-odfe/Dockerfile
+++ b/kibana-odfe/Dockerfile
@@ -2,7 +2,7 @@
FROM amazon/opendistro-for-elasticsearch-kibana:1.13.2
USER kibana
ARG ELASTIC_VERSION=7.10.2
-ARG WAZUH_VERSION=4.3.0
+ARG WAZUH_VERSION=4.4.0
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
WORKDIR /usr/share/kibana
diff --git a/kibana/Dockerfile b/kibana/Dockerfile
index d98443ae..d0a17f71 100644
--- a/kibana/Dockerfile
+++ b/kibana/Dockerfile
@@ -2,7 +2,7 @@
FROM docker.elastic.co/kibana/kibana:7.10.2
USER kibana
ARG ELASTIC_VERSION=7.10.2
-ARG WAZUH_VERSION=4.3.0
+ARG WAZUH_VERSION=4.4.0
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
WORKDIR /usr/share/kibana
diff --git a/production-cluster.yml b/production-cluster.yml
index df0d2250..64502411 100644
--- a/production-cluster.yml
+++ b/production-cluster.yml
@@ -3,7 +3,7 @@ version: '3.7'
services:
wazuh-master:
- image: wazuh/wazuh-odfe:4.3.0
+ image: wazuh/wazuh-odfe:4.4.0
hostname: wazuh-master
restart: always
ports:
@@ -38,7 +38,7 @@ services:
- ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh-worker:
- image: wazuh/wazuh-odfe:4.3.0
+ image: wazuh/wazuh-odfe:4.4.0
hostname: wazuh-worker
restart: always
environment:
@@ -134,7 +134,7 @@ services:
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
kibana:
- image: wazuh/wazuh-kibana-odfe:4.3.0
+ image: wazuh/wazuh-kibana-odfe:4.4.0
hostname: kibana
restart: always
ports:
diff --git a/production_cluster.tpl/elastic_opendistro/elasticsearch-node1.yml b/production_cluster.tpl/elastic_opendistro/elasticsearch-node1.yml
new file mode 100644
index 00000000..4f9a628d
--- /dev/null
+++ b/production_cluster.tpl/elastic_opendistro/elasticsearch-node1.yml
@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node1.pem
+opendistro_security.ssl.transport.pemkey_filepath: node1.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node1.pem
+opendistro_security.ssl.http.pemkey_filepath: node1.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+ - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false
diff --git a/production_cluster.tpl/elastic_opendistro/elasticsearch-node2.yml b/production_cluster.tpl/elastic_opendistro/elasticsearch-node2.yml
new file mode 100644
index 00000000..e368461e
--- /dev/null
+++ b/production_cluster.tpl/elastic_opendistro/elasticsearch-node2.yml
@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch-2
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node2.pem
+opendistro_security.ssl.transport.pemkey_filepath: node2.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node2.pem
+opendistro_security.ssl.http.pemkey_filepath: node2.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+ - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false
diff --git a/production_cluster.tpl/elastic_opendistro/elasticsearch-node3.yml b/production_cluster.tpl/elastic_opendistro/elasticsearch-node3.yml
new file mode 100644
index 00000000..14717a81
--- /dev/null
+++ b/production_cluster.tpl/elastic_opendistro/elasticsearch-node3.yml
@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch-3
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node3.pem
+opendistro_security.ssl.transport.pemkey_filepath: node3.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node3.pem
+opendistro_security.ssl.http.pemkey_filepath: node3.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+ - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+ - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false
diff --git a/production_cluster.tpl/elastic_opendistro/internal_users.yml b/production_cluster.tpl/elastic_opendistro/internal_users.yml
new file mode 100644
index 00000000..d9f05b34
--- /dev/null
+++ b/production_cluster.tpl/elastic_opendistro/internal_users.yml
@@ -0,0 +1,56 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+ type: "internalusers"
+ config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+ hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
+ reserved: true
+ backend_roles:
+ - "admin"
+ description: "Demo admin user"
+
+kibanaserver:
+ hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+ reserved: true
+ description: "Demo kibanaserver user"
+
+kibanaro:
+ hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+ reserved: false
+ backend_roles:
+ - "kibanauser"
+ - "readall"
+ attributes:
+ attribute1: "value1"
+ attribute2: "value2"
+ attribute3: "value3"
+ description: "Demo kibanaro user"
+
+logstash:
+ hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+ reserved: false
+ backend_roles:
+ - "logstash"
+ description: "Demo logstash user"
+
+readall:
+ hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+ reserved: false
+ backend_roles:
+ - "readall"
+ description: "Demo readall user"
+
+snapshotrestore:
+ hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+ reserved: false
+ backend_roles:
+ - "snapshotrestore"
+ description: "Demo snapshotrestore user"
diff --git a/production_cluster.tpl/kibana_ssl/generate-self-signed-cert.sh b/production_cluster.tpl/kibana_ssl/generate-self-signed-cert.sh
new file mode 100644
index 00000000..5951acf7
--- /dev/null
+++ b/production_cluster.tpl/kibana_ssl/generate-self-signed-cert.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+cd $DIR
+
+if [ -s key.pem ]
+then
+ echo "Certificate already exists"
+ exit
+else
+ openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
+ chown -R 1000:1000 *.pem
+fi
diff --git a/production_cluster.tpl/nginx/nginx.conf b/production_cluster.tpl/nginx/nginx.conf
new file mode 100644
index 00000000..8cd13ca2
--- /dev/null
+++ b/production_cluster.tpl/nginx/nginx.conf
@@ -0,0 +1,67 @@
+user nginx;
+worker_processes 1;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ server_tokens off;
+ gzip on;
+
+ # kibana UI
+ server {
+ listen 80;
+ listen [::]:80;
+ return 301 https://$host:443$request_uri;
+ }
+
+ server {
+ listen 443 default_server ssl http2;
+ listen [::]:443 ssl http2;
+ ssl_certificate /etc/nginx/ssl/cert.pem;
+ ssl_certificate_key /etc/nginx/ssl/key.pem;
+ location / {
+ proxy_pass https://kibana:5601/;
+ proxy_ssl_verify off;
+ proxy_buffer_size 128k;
+ proxy_buffers 4 256k;
+ proxy_busy_buffers_size 256k;
+ }
+ }
+
+}
+
+
+
+# load balancer for Wazuh cluster
+stream {
+ upstream mycluster {
+ hash $remote_addr consistent;
+ server wazuh-master:1514;
+ server wazuh-worker:1514;
+ }
+ server {
+ listen 1514;
+ proxy_pass mycluster;
+ }
+}
diff --git a/production_cluster.tpl/nginx/ssl/generate-self-signed-cert.sh b/production_cluster.tpl/nginx/ssl/generate-self-signed-cert.sh
new file mode 100644
index 00000000..e006733f
--- /dev/null
+++ b/production_cluster.tpl/nginx/ssl/generate-self-signed-cert.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+cd $DIR
+
+if [ -s key.pem ]
+then
+ echo "Certificate already exists"
+ exit
+else
+ openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
+fi
diff --git a/production_cluster.tpl/ssl_certs/certs.yml b/production_cluster.tpl/ssl_certs/certs.yml
new file mode 100644
index 00000000..486e4178
--- /dev/null
+++ b/production_cluster.tpl/ssl_certs/certs.yml
@@ -0,0 +1,35 @@
+ca:
+ root:
+ dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
+ pkPassword: none
+ keysize: 2048
+ file: root-ca.pem
+ intermediate:
+ dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
+ keysize: 2048
+ validityDays: 3650
+ pkPassword: intermediate-ca-password
+ file: intermediate-ca.pem
+
+nodes:
+ - name: node1
+ dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+ dns:
+ - elasticsearch
+ - name: node2
+ dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+ dns:
+ - elasticsearch-2
+ - name: node3
+ dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+ dns:
+ - elasticsearch-3
+ - name: filebeat
+ dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+ dns:
+ - wazuh
+
+clients:
+ - name: admin
+ dn: CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+ admin: true
diff --git a/production_cluster.tpl/wazuh_cluster/wazuh_manager.conf b/production_cluster.tpl/wazuh_cluster/wazuh_manager.conf
new file mode 100644
index 00000000..e24dd77f
--- /dev/null
+++ b/production_cluster.tpl/wazuh_cluster/wazuh_manager.conf
@@ -0,0 +1,349 @@
+
+
+ yes
+ yes
+ no
+ no
+ no
+ smtp.example.wazuh.com
+ wazuh@example.wazuh.com
+ recipient@example.wazuh.com
+ 12
+ alerts.log
+
+
+
+ 3
+ 12
+
+
+
+
+ plain
+
+
+
+ secure
+ 1514
+ tcp
+ 131072
+
+
+
+
+ no
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+
+
+ 43200
+
+ /var/ossec/etc/rootcheck/rootkit_files.txt
+ /var/ossec/etc/rootcheck/rootkit_trojans.txt
+
+ yes
+
+
+
+ yes
+ 1800
+ 1d
+ yes
+
+ wodles/java
+ wodles/ciscat
+
+
+
+
+ yes
+ yes
+ /var/log/osquery/osqueryd.results.log
+ /etc/osquery/osquery.conf
+ yes
+
+
+
+
+ no
+ 1h
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+
+
+
+ yes
+ yes
+ 12h
+ yes
+
+
+
+ no
+ 5m
+ 6h
+ yes
+
+
+
+ no
+ trusty
+ xenial
+ bionic
+ focal
+ 1h
+
+
+
+
+ no
+ stretch
+ buster
+ 1h
+
+
+
+
+ no
+ 5
+ 6
+ 7
+ 8
+ 1h
+
+
+
+
+ yes
+ 1h
+
+
+
+
+ yes
+ 2010
+ 1h
+
+
+
+
+
+
+ no
+
+
+ 43200
+
+ yes
+
+
+ yes
+
+
+ no
+
+
+ /etc,/usr/bin,/usr/sbin
+ /bin,/sbin,/boot
+
+
+ /etc/mtab
+ /etc/hosts.deny
+ /etc/mail/statistics
+ /etc/random-seed
+ /etc/random.seed
+ /etc/adjtime
+ /etc/httpd/logs
+ /etc/utmpx
+ /etc/wtmpx
+ /etc/cups/certs
+ /etc/dumpdates
+ /etc/svc/volatile
+
+
+ .log$|.swp$
+
+
+ /etc/ssl/private.key
+
+ yes
+ yes
+ yes
+ yes
+
+
+ 10
+
+
+ 100
+
+
+
+ yes
+ 5m
+ 1h
+ 10
+
+
+
+
+
+ 127.0.0.1
+ ^localhost.localdomain$
+ 4.4.0.1
+ 4.4.0.2
+ 208.67.220.220
+
+
+
+ disable-account
+ disable-account.sh
+ user
+ yes
+
+
+
+ restart-ossec
+ restart-ossec.sh
+
+
+
+
+ firewall-drop
+ firewall-drop.sh
+ srcip
+ yes
+
+
+
+ host-deny
+ host-deny.sh
+ srcip
+ yes
+
+
+
+ route-null
+ route-null.sh
+ srcip
+ yes
+
+
+
+ win_route-null
+ route-null.cmd
+ srcip
+ yes
+
+
+
+ win_route-null-2012
+ route-null-2012.cmd
+ srcip
+ yes
+
+
+
+ netsh
+ netsh.cmd
+ srcip
+ yes
+
+
+
+ netsh-win-2016
+ netsh-win-2016.cmd
+ srcip
+ yes
+
+
+
+
+
+
+ command
+ df -P
+ 360
+
+
+
+ full_command
+ netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
+ netstat listening ports
+ 360
+
+
+
+ full_command
+ last -n 20
+ 360
+
+
+
+
+ ruleset/decoders
+ ruleset/rules
+ 0215-policy_rules.xml
+ etc/lists/audit-keys
+ etc/lists/amazon/aws-eventnames
+ etc/lists/security-eventchannel
+
+
+ etc/decoders
+ etc/rules
+
+
+
+
+ no
+ 1515
+ no
+ yes
+ 0
+ yes
+ no
+ yes
+ HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+
+ no
+ /var/ossec/etc/sslmanager.cert
+ /var/ossec/etc/sslmanager.key
+ no
+
+
+
+ wazuh
+ manager
+ master
+ c98b6ha9b6169zc5f67rae55ae4z5647
+ 1516
+ 0.0.0.0
+
+ wazuh-master
+
+ no
+ no
+
+
+
+
+
+
+ syslog
+ /var/ossec/logs/active-responses.log
+
+
diff --git a/production_cluster.tpl/wazuh_cluster/wazuh_worker.conf b/production_cluster.tpl/wazuh_cluster/wazuh_worker.conf
new file mode 100644
index 00000000..1c17cac7
--- /dev/null
+++ b/production_cluster.tpl/wazuh_cluster/wazuh_worker.conf
@@ -0,0 +1,349 @@
+
+
+ yes
+ yes
+ no
+ no
+ no
+ smtp.example.wazuh.com
+ wazuh@example.wazuh.com
+ recipient@example.wazuh.com
+ 12
+ alerts.log
+
+
+
+ 3
+ 12
+
+
+
+
+ plain
+
+
+
+ secure
+ 1514
+ tcp
+ 131072
+
+
+
+
+ no
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+
+
+ 43200
+
+ /var/ossec/etc/rootcheck/rootkit_files.txt
+ /var/ossec/etc/rootcheck/rootkit_trojans.txt
+
+ yes
+
+
+
+ yes
+ 1800
+ 1d
+ yes
+
+ wodles/java
+ wodles/ciscat
+
+
+
+
+ yes
+ yes
+ /var/log/osquery/osqueryd.results.log
+ /etc/osquery/osquery.conf
+ yes
+
+
+
+
+ no
+ 1h
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+
+
+
+ yes
+ yes
+ 12h
+ yes
+
+
+
+ no
+ 5m
+ 6h
+ yes
+
+
+
+ no
+ trusty
+ xenial
+ bionic
+ focal
+ 1h
+
+
+
+
+ no
+ stretch
+ buster
+ 1h
+
+
+
+
+ no
+ 5
+ 6
+ 7
+ 8
+ 1h
+
+
+
+
+ yes
+ 1h
+
+
+
+
+ yes
+ 2010
+ 1h
+
+
+
+
+
+
+ no
+
+
+ 43200
+
+ yes
+
+
+ yes
+
+
+ no
+
+
+ /etc,/usr/bin,/usr/sbin
+ /bin,/sbin,/boot
+
+
+ /etc/mtab
+ /etc/hosts.deny
+ /etc/mail/statistics
+ /etc/random-seed
+ /etc/random.seed
+ /etc/adjtime
+ /etc/httpd/logs
+ /etc/utmpx
+ /etc/wtmpx
+ /etc/cups/certs
+ /etc/dumpdates
+ /etc/svc/volatile
+
+
+ .log$|.swp$
+
+
+ /etc/ssl/private.key
+
+ yes
+ yes
+ yes
+ yes
+
+
+ 10
+
+
+ 100
+
+
+
+ yes
+ 5m
+ 1h
+ 10
+
+
+
+
+
+ 127.0.0.1
+ ^localhost.localdomain$
+ 4.4.0.1
+ 4.4.0.2
+ 208.67.220.220
+
+
+
+ disable-account
+ disable-account.sh
+ user
+ yes
+
+
+
+ restart-ossec
+ restart-ossec.sh
+
+
+
+
+ firewall-drop
+ firewall-drop.sh
+ srcip
+ yes
+
+
+
+ host-deny
+ host-deny.sh
+ srcip
+ yes
+
+
+
+ route-null
+ route-null.sh
+ srcip
+ yes
+
+
+
+ win_route-null
+ route-null.cmd
+ srcip
+ yes
+
+
+
+ win_route-null-2012
+ route-null-2012.cmd
+ srcip
+ yes
+
+
+
+ netsh
+ netsh.cmd
+ srcip
+ yes
+
+
+
+ netsh-win-2016
+ netsh-win-2016.cmd
+ srcip
+ yes
+
+
+
+
+
+
+ command
+ df -P
+ 360
+
+
+
+ full_command
+ netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
+ netstat listening ports
+ 360
+
+
+
+ full_command
+ last -n 20
+ 360
+
+
+
+
+ ruleset/decoders
+ ruleset/rules
+ 0215-policy_rules.xml
+ etc/lists/audit-keys
+ etc/lists/amazon/aws-eventnames
+ etc/lists/security-eventchannel
+
+
+ etc/decoders
+ etc/rules
+
+
+
+
+ no
+ 1515
+ no
+ yes
+ 0
+ yes
+ no
+ yes
+ HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+
+ no
+ /var/ossec/etc/sslmanager.cert
+ /var/ossec/etc/sslmanager.key
+ no
+
+
+
+ wazuh
+ worker01
+ worker
+ c98b6ha9b6169zc5f67rae55ae4z5647
+ 1516
+ 0.0.0.0
+
+ wazuh-master
+
+ no
+ no
+
+
+
+
+
+
+ syslog
+ /var/ossec/logs/active-responses.log
+
+
diff --git a/production_cluster/wazuh_cluster/wazuh_manager.conf b/production_cluster/wazuh_cluster/wazuh_manager.conf
index 38a180d6..e24dd77f 100644
--- a/production_cluster/wazuh_cluster/wazuh_manager.conf
+++ b/production_cluster/wazuh_cluster/wazuh_manager.conf
@@ -200,8 +200,8 @@
127.0.0.1
^localhost.localdomain$
- 4.3.0.1
- 4.3.0.2
+ 4.4.0.1
+ 4.4.0.2
208.67.220.220
diff --git a/production_cluster/wazuh_cluster/wazuh_worker.conf b/production_cluster/wazuh_cluster/wazuh_worker.conf
index bc0bbb8d..1c17cac7 100644
--- a/production_cluster/wazuh_cluster/wazuh_worker.conf
+++ b/production_cluster/wazuh_cluster/wazuh_worker.conf
@@ -200,8 +200,8 @@
127.0.0.1
^localhost.localdomain$
- 4.3.0.1
- 4.3.0.2
+ 4.4.0.1
+ 4.4.0.2
208.67.220.220
diff --git a/wazuh-odfe/Dockerfile b/wazuh-odfe/Dockerfile
index 73cb6034..051c520c 100644
--- a/wazuh-odfe/Dockerfile
+++ b/wazuh-odfe/Dockerfile
@@ -3,7 +3,7 @@ FROM centos:7
ARG FILEBEAT_CHANNEL=filebeat-oss
ARG FILEBEAT_VERSION=7.10.2
-ARG WAZUH_VERSION=4.3.0-1
+ARG WAZUH_VERSION=4.4.0-1
ARG TEMPLATE_VERSION="master"
ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
diff --git a/xpack-compose.yml b/xpack-compose.yml
index f741a7ce..8fdb12e7 100644
--- a/xpack-compose.yml
+++ b/xpack-compose.yml
@@ -3,7 +3,7 @@ version: '3.7'
services:
wazuh:
- image: wazuh/wazuh:4.3.0
+ image: wazuh/wazuh:4.4.0
hostname: wazuh-manager
restart: always
ports:
@@ -146,7 +146,7 @@ services:
kibana:
- image: wazuh/wazuh-kibana:4.3.0
+ image: wazuh/wazuh-kibana:4.4.0
hostname: kibana
restart: always
ports:
diff --git a/xpack-from-sources.yml b/xpack-from-sources.yml
index 922eee93..ff5fb355 100644
--- a/xpack-from-sources.yml
+++ b/xpack-from-sources.yml
@@ -8,7 +8,7 @@ services:
args:
- FILEBEAT_CHANNEL=filebeat
- FILEBEAT_VERSION=7.11.2
- image: wazuh/wazuh:4.3.0
+ image: wazuh/wazuh:4.4.0
hostname: wazuh-manager
restart: always
ports:
@@ -152,7 +152,7 @@ services:
kibana:
build: kibana/
- image: wazuh/wazuh-kibana:4.3.0
+ image: wazuh/wazuh-kibana:4.4.0
hostname: kibana
restart: always
ports: