Trez/rinoa-docker
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Activity

[ANSIBLE] Automated PR for wazuh-v4.12.0-deployment_2025-07-02T07-58-30 - #95 #95

Merged
Trez.One merged 1 commits from wazuh-v4.12.0-deployment_2025-07-02T07-58-30 into main 2025-07-02 10:41:46 -04:00
Conversation 0 Commits 1 Files Changed 5
+495 -4
5 changed files with 495 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ansible/app-configs/wazuh/dashboard/opensearch_dashboards.yml.j2
+12
View File
@@ -0,0 +1,12 @@
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh.indexer:9200
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home
ansible/app-configs/wazuh/wazuh.yml.j2 → ansible/app-configs/wazuh/dashboard/wazuh.yml.j2
View File
ansible/app-configs/wazuh/wazuh.indexer.yml.j2 → ansible/app-configs/wazuh/indexer/wazuh.indexer.yml.j2
View File
ansible/app-configs/wazuh/manager/wazuh_manager.conf.j2
+311
View File
@@ -0,0 +1,311 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://wazuh.indexer:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/ssl/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/ssl/filebeat.pem</certificate>
<key>/etc/ssl/filebeat.key</key>
</ssl>
</indexer>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<list>etc/lists/malicious-ioc/malicious-ip</list>
<list>etc/lists/malicious-ioc/malicious-domains</list>
<list>etc/lists/malicious-ioc/malware-hashes</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key>aa093264ef885029653eea20dfcf51ae</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.manager</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>
docker-compose.yml
+172 -4
View File
@@ -1231,12 +1231,12 @@ services:
swag.uptime-kuma.monitor.interval: 300
### EXAMPLE CF TUNNEL LABELS ###
# Enable DockFlare management for this container
# - "cloudflare.tunnel.enable=true"
# - "cloudflare.tunnel.enable=true"
# The public hostname to expose
# - "cloudflare.tunnel.hostname=my-service.example.com"
# The internal service address (protocol://container_name_or_ip:port)
# Service type (http, https, tcp, ssh, rdp, http_status) is inferred from the prefix.
# - "cloudflare.tunnel.service=http://my-service:80"
# - "cloudflare.tunnel.service=http://my-service:80"
# Optional: Specify a URL path. Only requests to hostname/path will match.
# - "cloudflare.tunnel.path=/app"
# Optional: Specify a different Cloudflare Zone for this hostname
@@ -4827,7 +4827,7 @@ services:
# REDIS_PASSWORD: # [Optional] Support for secured redis
# [Optional] Will enable asynchronous tasks (all disabled by default)
# Important: Do NOT wrap the cron expression in quotes
ENABLE_RESCAN_ON_FILESYSTEM_CHANGE: true # Runs a quick scan on the library when a file is added or removed
ENABLE_RESCAN_ON_FILESYSTEM_CHANGE: true # Runs a quick scan on the library when a file is added or removed
RESCAN_ON_FILESYSTEM_CHANGE_DELAY: 5 # Delay in seconds before running the quick scan (default: 5)
ENABLE_SCHEDULED_RESCAN: true # Runs a quick scan on the library at a given time
SCHEDULED_RESCAN_CRON: 0 3 * * * # Cron expression for the scheduled scan (default: 0 3 * * * At 3:00 AM every day)
@@ -5904,6 +5904,146 @@ services:
source: /var/run/docker.sock
target: /var/run/docker.sock
type: bind
# wazuh-certs-generator:
# container_name: wazuh-certs-generator
# environment:
# HTTP_PROXY: wazuh.trez.wtf
# image: wazuh/wazuh-certs-generator:0.0.2
# hostname: wazuh-certs-generator
# volumes:
# - ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/:/certificates/
# - ${DOCKER_VOLUME_CONFIG}/wazuh/certs.yml:/config/certs.yml
# wazuh-agent:
# container_name: wazuh.agent
# environment:
# JOIN_MANAGER_PROTOCOL: https
# JOIN_MANAGER_MASTER_HOST: wazuh.manager
# JOIN_MANAGER_WORKER_HOST: wazuh.manager
# JOIN_MANAGER_USER: wazuh-wui
# JOIN_MANAGER_PASSWORD: ${WAZUH_API_PASSWORD}
# JOIN_MANAGER_API_PORT: 55000
# JOIN_MANAGER_PORT: 1514
# VIRUS_TOTAL_KEY: ${VIRUS_TOTAL_API_KEY}
# DOCKER_HOST: tcp://dockerproxy:2375
# hostname: wazuh.agent
# image: kennyopennix/wazuh-agent:4.11.1
# networks:
# default: null
# restart: unless-stopped
wazuh-dashboard:
container_name: wazuh-dashboard
depends_on:
wazuh-indexer:
condition: service_started
required: true
wazuh-manager:
condition: service_started
required: true
restart: true
environment:
INDEXER_USERNAME: admin
INDEXER_PASSWORD: ${WAZUH_INDEXER_PASSWORD}
WAZUH_API_URL: https://wazuh.manager
DASHBOARD_USERNAME: kibanaserver
DASHBOARD_PASSWORD: ${WAZUH_KIBANA_PASSWORD}
API_USERNAME: wazuh-wui
API_PASSWORD: ${WAZUH_API_PASSWORD}
hostname: wazuh-dashboard
image: wazuh/wazuh-dashboard:4.12.0
labels:
swag: enable
swag_proto: https
swag_port: 5601
swag_url: wsec.${MY_TLD}
swag.uptime-kuma.enabled: true
swag.uptime-kuma.monitor.url: https://wazuh.${MY_TLD}
homepage.group: Privacy/Security
homepage.name: Wazuh
homepage.href: https://wazuh.${MY_TLD}
homepage.icon: wazuh.svg
homepage.description: OSS Security Platform for XDR/SIEM
links:
- wazuh-indexer:wazuh-indexer
- wazuh-manager:wazuh-manager
ports:
- 5601:5601/tcp
restart: always
volumes:
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ${DOCKER_VOLUME_CONFIG}/wazuh/dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
wazuh-indexer:
container_name: wazuh-indexer
environment:
OPENSEARCH_JAVA_OPTS: -Xms512m -Xmx512m
hostname: wazuh-indexer
image: wazuh/wazuh-indexer:4.12.0
ports:
- 19186:9200/tcp
restart: always
ulimits:
memlock:
hard: -1
soft: -1
nofile:
hard: 65536
soft: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
wazuh-manager:
container_name: wazuh-manager
environment:
INDEXER_URL: https://wazuh.indexer:9200
INDEXER_USERNAME: admin
INDEXER_PASSWORD: ${WAZUH_INDEXER_PASSWORD}
FILEBEAT_SSL_VERIFICATION_MODE: full
SSL_CERTIFICATE_AUTHORITIES: /etc/ssl/root-ca.pem
SSL_CERTIFICATE: /etc/ssl/filebeat.pem
SSL_KEY: /etc/ssl/filebeat.key
API_USERNAME: wazuh-wui
API_PASSWORD: ${WAZUH_API_PASSWORD}
hostname: wazuh-manager
image: wazuh/wazuh-manager:4.12.0
ports:
- 1514:1514/tcp
- 1515:1515/tcp
- 514:514/udp
- 55000:55000/tcp
restart: always
ulimits:
memlock:
hard: -1
soft: -1
nofile:
hard: 655360
soft: 655360
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- wazuh_filebeat_etc:/etc/filebeat
- wazuh_filebeat_var:/var/lib/filebeat
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ${DOCKER_VOLUME_CONFIG}/wazuh/indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ${DOCKER_VOLUME_CONFIG}/wazuh/manager/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
web-check:
container_name: web-check
image: lissy93/web-check
@@ -6314,4 +6454,32 @@ volumes:
wallos-db:
name: wallos-db
wallos-logos:
name: wallos-logos
name: wallos-logos
wazuh-dashboard-config:
name: wazuh-dashboard-config
wazuh-dashboard-custom:
name: wazuh-dashboard-custom
wazuh-indexer-data:
name: wazuh-indexer-data
wazuh_active_response:
name: wazuh_active_response
wazuh_filebeat_etc:
name: wazuh_filebeat_etc
wazuh_filebeat_var:
name: wazuh_filebeat_var
wazuh_agentless:
name: wazuh_agentless
wazuh_api_configuration:
name: wazuh_api_configuration
wazuh_etc:
name: wazuh_etc
wazuh_integrations:
name: wazuh_integrations
wazuh_logs:
name: wazuh_logs
wazuh_queue:
name: wazuh_queue
wazuh_var_multigroups:
name: wazuh_var_multigroups
wazuh_wodles:
name: wazuh_wodles