Templating production_cluster folder

.gitignore

@@ -0,0 +1 @@
+production_cluster

.goss.yaml

@@ -56,7 +56,7 @@ package:
   wazuh-manager:
     installed: true
     versions:
-    - 4.3.0
+    - 4.4.0
 port:
   tcp:1514:
     listening: true

CHANGELOG.md

@@ -1,6 +1,11 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## Wazuh Docker v4.4.0
+### Added
+
+- Update Wazuh to version [4.4.0](https://github.com/wazuh/wazuh/blob/v4.4.0/CHANGELOG.md#v440)
+
 ## Wazuh Docker v4.3.0
 ### Added
 

README.md

@@ -21,6 +21,12 @@ In addition, a docker-compose file is provided to launch the containers mentione
 * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
 * [Docker hub](https://hub.docker.com/u/wazuh)
 
+To start, just copy the `production_cluster.tpl` template directory: 
+``` 
+cp -r production_cluster.tpl production_cluster  
+```  
+and follow the documentation to run the Wazuh stack.
+
 
 ### Setup SSL certificate
 
@@ -153,6 +159,7 @@ ADMIN_PRIVILEGES=true               # App privileges
 
 | Wazuh version | ODFE    | XPACK  |
 |---------------|---------|--------|
+| v4.4.0        | 1.13.2  | 7.11.2 |
 | v4.3.0        | 1.13.2  | 7.11.2 |
 | v4.2.5        | 1.13.2  | 7.11.2 |
 | v4.2.4        | 1.13.2  | 7.11.2 |

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="4.3.0"
-REVISION="43100"
+WAZUH-DOCKER_VERSION="4.4.0"
+REVISION="40400"

docker-compose.yml

@@ -3,7 +3,7 @@ version: '3.7'
 
 services:
   wazuh:
-    image: wazuh/wazuh-odfe:4.3.0
+    image: wazuh/wazuh-odfe:4.4.0
     hostname: wazuh-manager
     restart: always
     ports:
@@ -50,7 +50,7 @@ services:
         hard: 65536
 
   kibana:
-    image: wazuh/wazuh-kibana-odfe:4.3.0
+    image: wazuh/wazuh-kibana-odfe:4.4.0
     hostname: kibana
     restart: always
     ports:

kibana-odfe/Dockerfile

@@ -2,7 +2,7 @@
 FROM amazon/opendistro-for-elasticsearch-kibana:1.13.2
 USER kibana
 ARG ELASTIC_VERSION=7.10.2
-ARG WAZUH_VERSION=4.3.0
+ARG WAZUH_VERSION=4.4.0
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 
 WORKDIR /usr/share/kibana

kibana/Dockerfile

@@ -2,7 +2,7 @@
 FROM docker.elastic.co/kibana/kibana:7.10.2
 USER kibana
 ARG ELASTIC_VERSION=7.10.2
-ARG WAZUH_VERSION=4.3.0
+ARG WAZUH_VERSION=4.4.0
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 
 WORKDIR /usr/share/kibana

production-cluster.yml

@@ -3,7 +3,7 @@ version: '3.7'
 
 services:
   wazuh-master:
-    image: wazuh/wazuh-odfe:4.3.0
+    image: wazuh/wazuh-odfe:4.4.0
     hostname: wazuh-master
     restart: always
     ports:
@@ -38,7 +38,7 @@ services:
       - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh-worker:
-    image: wazuh/wazuh-odfe:4.3.0
+    image: wazuh/wazuh-odfe:4.4.0
     hostname: wazuh-worker
     restart: always
     environment:
@@ -134,7 +134,7 @@ services:
       - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
 
   kibana:
-    image: wazuh/wazuh-kibana-odfe:4.3.0
+    image: wazuh/wazuh-kibana-odfe:4.4.0
     hostname: kibana
     restart: always
     ports:

production_cluster.tpl/elastic_opendistro/elasticsearch-node1.yml

@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node1.pem
+opendistro_security.ssl.transport.pemkey_filepath: node1.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node1.pem
+opendistro_security.ssl.http.pemkey_filepath: node1.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster.tpl/elastic_opendistro/elasticsearch-node2.yml

@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch-2
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node2.pem
+opendistro_security.ssl.transport.pemkey_filepath: node2.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node2.pem
+opendistro_security.ssl.http.pemkey_filepath: node2.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster.tpl/elastic_opendistro/elasticsearch-node3.yml

@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch-3
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node3.pem
+opendistro_security.ssl.transport.pemkey_filepath: node3.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node3.pem
+opendistro_security.ssl.http.pemkey_filepath: node3.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster.tpl/elastic_opendistro/internal_users.yml

@@ -0,0 +1,56 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  backend_roles:
+  - "logstash"
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+  description: "Demo snapshotrestore user"

production_cluster.tpl/kibana_ssl/generate-self-signed-cert.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+cd $DIR
+
+if [ -s key.pem ]
+then
+    echo "Certificate already exists"
+    exit
+else
+    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
+    chown -R 1000:1000 *.pem
+fi

production_cluster.tpl/nginx/nginx.conf

@@ -0,0 +1,67 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    server_tokens off;
+    gzip  on;
+
+    # kibana UI
+    server {
+        listen 80;
+        listen [::]:80;
+        return 301 https://$host:443$request_uri;
+    }
+
+    server {
+        listen 443 default_server ssl http2;
+        listen [::]:443 ssl http2;
+        ssl_certificate /etc/nginx/ssl/cert.pem;
+        ssl_certificate_key /etc/nginx/ssl/key.pem;
+        location / {
+            proxy_pass https://kibana:5601/;
+            proxy_ssl_verify off;
+            proxy_buffer_size          128k;
+            proxy_buffers              4 256k;
+            proxy_busy_buffers_size    256k;
+        }
+    }
+
+}
+
+
+
+# load balancer for Wazuh cluster
+stream {
+    upstream mycluster {
+        hash $remote_addr consistent;
+        server wazuh-master:1514;
+        server wazuh-worker:1514;
+    }
+    server {
+        listen 1514;
+        proxy_pass mycluster;
+    }
+}

production_cluster.tpl/nginx/ssl/generate-self-signed-cert.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+cd $DIR
+
+if [ -s key.pem ]
+then
+    echo "Certificate already exists"
+    exit
+else
+    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
+fi

production_cluster.tpl/ssl_certs/certs.yml

@@ -0,0 +1,35 @@
+ca:
+   root:
+      dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
+      pkPassword: none
+      keysize: 2048
+      file: root-ca.pem 
+   intermediate:
+      dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
+      keysize: 2048
+      validityDays: 3650  
+      pkPassword: intermediate-ca-password
+      file: intermediate-ca.pem
+
+nodes:
+  - name: node1
+    dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch
+  - name: node2
+    dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch-2
+  - name: node3
+    dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch-3
+  - name: filebeat
+    dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - wazuh
+
+clients:
+  - name: admin
+    dn: CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    admin: true