diff --git a/ansible/app-configs/wazuh/dashboard/opensearch_dashboards.yml.j2 b/ansible/app-configs/wazuh/dashboard/opensearch_dashboards.yml.j2
new file mode 100644
index 00000000..149b5d9b
--- /dev/null
+++ b/ansible/app-configs/wazuh/dashboard/opensearch_dashboards.yml.j2
@@ -0,0 +1,12 @@
+server.host: 0.0.0.0
+server.port: 5601
+opensearch.hosts: https://wazuh.indexer:9200
+opensearch.ssl.verificationMode: certificate
+opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+server.ssl.enabled: true
+server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
+opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
+uiSettings.overrides.defaultRoute: /app/wz-home
\ No newline at end of file
diff --git a/ansible/app-configs/wazuh/wazuh.yml.j2 b/ansible/app-configs/wazuh/dashboard/wazuh.yml.j2
similarity index 100%
rename from ansible/app-configs/wazuh/wazuh.yml.j2
rename to ansible/app-configs/wazuh/dashboard/wazuh.yml.j2
diff --git a/ansible/app-configs/wazuh/wazuh.indexer.yml.j2 b/ansible/app-configs/wazuh/indexer/wazuh.indexer.yml.j2
similarity index 100%
rename from ansible/app-configs/wazuh/wazuh.indexer.yml.j2
rename to ansible/app-configs/wazuh/indexer/wazuh.indexer.yml.j2
diff --git a/ansible/app-configs/wazuh/manager/wazuh_manager.conf.j2 b/ansible/app-configs/wazuh/manager/wazuh_manager.conf.j2
new file mode 100644
index 00000000..a5c5015d
--- /dev/null
+++ b/ansible/app-configs/wazuh/manager/wazuh_manager.conf.j2
@@ -0,0 +1,311 @@
+
+
+ yes
+ yes
+ no
+ no
+ no
+ smtp.example.wazuh.com
+ wazuh@example.wazuh.com
+ recipient@example.wazuh.com
+ 12
+ alerts.log
+ 10m
+ 0
+
+
+
+ 3
+ 12
+
+
+
+
+ plain
+
+
+
+ secure
+ 1514
+ tcp
+ 131072
+
+
+
+
+ no
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+
+
+ 43200
+
+ etc/rootcheck/rootkit_files.txt
+ etc/rootcheck/rootkit_trojans.txt
+
+ yes
+
+
+
+ yes
+ 1800
+ 1d
+ yes
+
+ wodles/java
+ wodles/ciscat
+
+
+
+
+ yes
+ yes
+ /var/log/osquery/osqueryd.results.log
+ /etc/osquery/osquery.conf
+ yes
+
+
+
+
+ no
+ 1h
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+
+
+
+ 10
+
+
+
+
+ yes
+ yes
+ 12h
+ yes
+
+
+
+ yes
+ yes
+ 60m
+
+
+
+ yes
+
+ https://wazuh.indexer:9200
+
+
+
+ /etc/ssl/root-ca.pem
+
+ /etc/ssl/filebeat.pem
+ /etc/ssl/filebeat.key
+
+
+
+
+
+ no
+
+
+ 43200
+
+ yes
+
+
+ yes
+
+
+ no
+
+
+ /etc,/usr/bin,/usr/sbin
+ /bin,/sbin,/boot
+
+
+ /etc/mtab
+ /etc/hosts.deny
+ /etc/mail/statistics
+ /etc/random-seed
+ /etc/random.seed
+ /etc/adjtime
+ /etc/httpd/logs
+ /etc/utmpx
+ /etc/wtmpx
+ /etc/cups/certs
+ /etc/dumpdates
+ /etc/svc/volatile
+
+
+ .log$|.swp$
+
+
+ /etc/ssl/private.key
+
+ yes
+ yes
+ yes
+ yes
+
+
+ 10
+
+
+ 100
+
+
+
+ yes
+ 5m
+ 1h
+ 10
+
+
+
+
+
+ 127.0.0.1
+ ^localhost.localdomain$
+
+
+
+ disable-account
+ disable-account
+ yes
+
+
+
+ restart-wazuh
+ restart-wazuh
+
+
+
+ firewall-drop
+ firewall-drop
+ yes
+
+
+
+ host-deny
+ host-deny
+ yes
+
+
+
+ route-null
+ route-null
+ yes
+
+
+
+ win_route-null
+ route-null.exe
+ yes
+
+
+
+ netsh
+ netsh.exe
+ yes
+
+
+
+
+
+
+ command
+ df -P
+ 360
+
+
+
+ full_command
+ netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
+ netstat listening ports
+ 360
+
+
+
+ full_command
+ last -n 20
+ 360
+
+
+
+
+ ruleset/decoders
+ ruleset/rules
+ 0215-policy_rules.xml
+ etc/lists/audit-keys
+ etc/lists/amazon/aws-eventnames
+ etc/lists/security-eventchannel
+ etc/lists/malicious-ioc/malicious-ip
+ etc/lists/malicious-ioc/malicious-domains
+ etc/lists/malicious-ioc/malware-hashes
+
+
+ etc/decoders
+ etc/rules
+
+
+
+ yes
+ 1
+ 64
+ 15m
+
+
+
+
+ no
+ 1515
+ no
+ yes
+ no
+ HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+
+ no
+ etc/sslmanager.cert
+ etc/sslmanager.key
+ no
+
+
+
+ wazuh
+ node01
+ master
+ aa093264ef885029653eea20dfcf51ae
+ 1516
+ 0.0.0.0
+
+ wazuh.manager
+
+ no
+ yes
+
+
+
+
+
+
+ syslog
+ /var/ossec/logs/active-responses.log
+
+
+
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 0c80a4c1..9c2ca58a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1231,12 +1231,12 @@ services:
swag.uptime-kuma.monitor.interval: 300
### EXAMPLE CF TUNNEL LABELS ###
# Enable DockFlare management for this container
- # - "cloudflare.tunnel.enable=true"
+ # - "cloudflare.tunnel.enable=true"
# The public hostname to expose
# - "cloudflare.tunnel.hostname=my-service.example.com"
# The internal service address (protocol://container_name_or_ip:port)
# Service type (http, https, tcp, ssh, rdp, http_status) is inferred from the prefix.
- # - "cloudflare.tunnel.service=http://my-service:80"
+ # - "cloudflare.tunnel.service=http://my-service:80"
# Optional: Specify a URL path. Only requests to hostname/path will match.
# - "cloudflare.tunnel.path=/app"
# Optional: Specify a different Cloudflare Zone for this hostname
@@ -4827,7 +4827,7 @@ services:
# REDIS_PASSWORD: # [Optional] Support for secured redis
# [Optional] Will enable asynchronous tasks (all disabled by default)
# Important: Do NOT wrap the cron expression in quotes
- ENABLE_RESCAN_ON_FILESYSTEM_CHANGE: true # Runs a quick scan on the library when a file is added or removed
+ ENABLE_RESCAN_ON_FILESYSTEM_CHANGE: true # Runs a quick scan on the library when a file is added or removed
RESCAN_ON_FILESYSTEM_CHANGE_DELAY: 5 # Delay in seconds before running the quick scan (default: 5)
ENABLE_SCHEDULED_RESCAN: true # Runs a quick scan on the library at a given time
SCHEDULED_RESCAN_CRON: 0 3 * * * # Cron expression for the scheduled scan (default: 0 3 * * * At 3:00 AM every day)
@@ -5904,6 +5904,146 @@ services:
source: /var/run/docker.sock
target: /var/run/docker.sock
type: bind
+ # wazuh-certs-generator:
+ # container_name: wazuh-certs-generator
+ # environment:
+ # HTTP_PROXY: wazuh.trez.wtf
+ # image: wazuh/wazuh-certs-generator:0.0.2
+ # hostname: wazuh-certs-generator
+ # volumes:
+ # - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/:/certificates/
+ # - ${DOCKER_VOLUME_CONFIG}/wazuh/certs.yml:/config/certs.yml
+ # wazuh-agent:
+ # container_name: wazuh.agent
+ # environment:
+ # JOIN_MANAGER_PROTOCOL: https
+ # JOIN_MANAGER_MASTER_HOST: wazuh.manager
+ # JOIN_MANAGER_WORKER_HOST: wazuh.manager
+ # JOIN_MANAGER_USER: wazuh-wui
+ # JOIN_MANAGER_PASSWORD: ${WAZUH_API_PASSWORD}
+ # JOIN_MANAGER_API_PORT: 55000
+ # JOIN_MANAGER_PORT: 1514
+ # VIRUS_TOTAL_KEY: ${VIRUS_TOTAL_API_KEY}
+ # DOCKER_HOST: tcp://dockerproxy:2375
+ # hostname: wazuh.agent
+ # image: kennyopennix/wazuh-agent:4.11.1
+ # networks:
+ # default: null
+ # restart: unless-stopped
+ wazuh-dashboard:
+ container_name: wazuh-dashboard
+ depends_on:
+ wazuh-indexer:
+ condition: service_started
+ required: true
+ wazuh-manager:
+ condition: service_started
+ required: true
+ restart: true
+ environment:
+ INDEXER_USERNAME: admin
+ INDEXER_PASSWORD: ${WAZUH_INDEXER_PASSWORD}
+ WAZUH_API_URL: https://wazuh.manager
+ DASHBOARD_USERNAME: kibanaserver
+ DASHBOARD_PASSWORD: ${WAZUH_KIBANA_PASSWORD}
+ API_USERNAME: wazuh-wui
+ API_PASSWORD: ${WAZUH_API_PASSWORD}
+ hostname: wazuh-dashboard
+ image: wazuh/wazuh-dashboard:4.12.0
+ labels:
+ swag: enable
+ swag_proto: https
+ swag_port: 5601
+ swag_url: wsec.${MY_TLD}
+ swag.uptime-kuma.enabled: true
+ swag.uptime-kuma.monitor.url: https://wazuh.${MY_TLD}
+ homepage.group: Privacy/Security
+ homepage.name: Wazuh
+ homepage.href: https://wazuh.${MY_TLD}
+ homepage.icon: wazuh.svg
+ homepage.description: OSS Security Platform for XDR/SIEM
+ links:
+ - wazuh-indexer:wazuh-indexer
+ - wazuh-manager:wazuh-manager
+ ports:
+ - 5601:5601/tcp
+ restart: always
+ volumes:
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+ - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
+ - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
+ wazuh-indexer:
+ container_name: wazuh-indexer
+ environment:
+ OPENSEARCH_JAVA_OPTS: -Xms512m -Xmx512m
+ hostname: wazuh-indexer
+ image: wazuh/wazuh-indexer:4.12.0
+ ports:
+ - 19186:9200/tcp
+ restart: always
+ ulimits:
+ memlock:
+ hard: -1
+ soft: -1
+ nofile:
+ hard: 65536
+ soft: 65536
+ volumes:
+ - wazuh-indexer-data:/var/lib/wazuh-indexer
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+ wazuh-manager:
+ container_name: wazuh-manager
+ environment:
+ INDEXER_URL: https://wazuh.indexer:9200
+ INDEXER_USERNAME: admin
+ INDEXER_PASSWORD: ${WAZUH_INDEXER_PASSWORD}
+ FILEBEAT_SSL_VERIFICATION_MODE: full
+ SSL_CERTIFICATE_AUTHORITIES: /etc/ssl/root-ca.pem
+ SSL_CERTIFICATE: /etc/ssl/filebeat.pem
+ SSL_KEY: /etc/ssl/filebeat.key
+ API_USERNAME: wazuh-wui
+ API_PASSWORD: ${WAZUH_API_PASSWORD}
+ hostname: wazuh-manager
+ image: wazuh/wazuh-manager:4.12.0
+ ports:
+ - 1514:1514/tcp
+ - 1515:1515/tcp
+ - 514:514/udp
+ - 55000:55000/tcp
+ restart: always
+ ulimits:
+ memlock:
+ hard: -1
+ soft: -1
+ nofile:
+ hard: 655360
+ soft: 655360
+ volumes:
+ - wazuh_api_configuration:/var/ossec/api/configuration
+ - wazuh_etc:/var/ossec/etc
+ - wazuh_logs:/var/ossec/logs
+ - wazuh_queue:/var/ossec/queue
+ - wazuh_var_multigroups:/var/ossec/var/multigroups
+ - wazuh_integrations:/var/ossec/integrations
+ - wazuh_active_response:/var/ossec/active-response/bin
+ - wazuh_agentless:/var/ossec/agentless
+ - wazuh_wodles:/var/ossec/wodles
+ - wazuh_filebeat_etc:/etc/filebeat
+ - wazuh_filebeat_var:/var/lib/filebeat
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
+ - ${DOCKER_VOLUME_CONFIG}/wazuh/manager/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
web-check:
container_name: web-check
image: lissy93/web-check
@@ -6314,4 +6454,32 @@ volumes:
wallos-db:
name: wallos-db
wallos-logos:
- name: wallos-logos
\ No newline at end of file
+ name: wallos-logos
+ wazuh-dashboard-config:
+ name: wazuh-dashboard-config
+ wazuh-dashboard-custom:
+ name: wazuh-dashboard-custom
+ wazuh-indexer-data:
+ name: wazuh-indexer-data
+ wazuh_active_response:
+ name: wazuh_active_response
+ wazuh_filebeat_etc:
+ name: wazuh_filebeat_etc
+ wazuh_filebeat_var:
+ name: wazuh_filebeat_var
+ wazuh_agentless:
+ name: wazuh_agentless
+ wazuh_api_configuration:
+ name: wazuh_api_configuration
+ wazuh_etc:
+ name: wazuh_etc
+ wazuh_integrations:
+ name: wazuh_integrations
+ wazuh_logs:
+ name: wazuh_logs
+ wazuh_queue:
+ name: wazuh_queue
+ wazuh_var_multigroups:
+ name: wazuh_var_multigroups
+ wazuh_wodles:
+ name: wazuh_wodles
\ No newline at end of file