From 2374d0659bdc00a15243b1f7de22fe1da86f4f21 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Wed, 24 Jan 2024 17:09:14 -0300 Subject: [PATCH 01/34] Remove suricata.yaml template --- .../learning-wazuh/suricata.yaml | 1064 ----------------- 1 file changed, 1064 deletions(-) delete mode 100644 documentation-templates/learning-wazuh/suricata.yaml diff --git a/documentation-templates/learning-wazuh/suricata.yaml b/documentation-templates/learning-wazuh/suricata.yaml deleted file mode 100644 index 9408ccddc4..0000000000 --- a/documentation-templates/learning-wazuh/suricata.yaml +++ /dev/null @@ -1,1064 +0,0 @@ -%YAML 1.1 ---- - -# This file was created by Kevin Branch (https://branchnetconsulting.com/) - -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml - -# NOTE: This version of the Suricata.yaml file is modified by the Emerging Threats -# Pro Team to reflect the default assumptions on inspection depths. Comments have been -# added to note where users may tune defaults back where performance is a -# concern. The default stance of this config is maximum detection. -# Decisions on features such as file extraction and pcap logging must be made -# locally. These are left at defaults. - -# Number of packets allowed to be processed simultaneously. Default is a -# conservative 1024. A higher number will make sure CPU's/CPU cores will be -# more easily kept busy, but may negatively impact caching. -# -# If you are using the CUDA pattern matcher (b2g_cuda below), different rules -# apply. In that case try something like 4000 or more. This is because the CUDA -# pattern matcher scans many packets in parallel. -max-pending-packets: 5000 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned -# load balancing). -#runmode: autofp - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random -# technique. Was the default in Suricata 1.2.1 and older. -# -#autofp-scheduler: active-packets - -# Default pid file. -# Will use this file if no --pidfile in command options. -#pid-file: /var/run/suricata.pid - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata -# or trigger some modification of the engine. -#unix-command: yes - -# Configure the type of alert (and other) logging you would like. -outputs: - - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: yes - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output for use with Barnyard2 - - unified2-alert: - enabled: yes - filename: unified2.alert - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - #limit: 32mb - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: yes - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: yes # Log TLS connections. - filename: tls.log # File to store TLS logs. - extended: yes # Log extended information like fingerprint - certs-log-dir: certs # directory to store the certificates files - - # a line based log to used with pcap file study. - # this module is dedicated to offline pcap parsing (empty output - # if used with another kind of input). It can interoperate with - # pcap parser like wireshark via the suriwire plugin. - - pcap-info: - enabled: no - - # Packet log... log packets in pcap format. 2 modes of operation: "normal" - # and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. - # In this base dir the pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - mode: normal # normal or sguil. - #sguil-base-dir: /nsm_data/ - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (http://www.prelude-technologies.com/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the suricata engine. - # The interval field (in seconds) tells after how long output will be written - # on the log file. - - stats: - enabled: yes - filename: stats.log - interval: 8 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: yes - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # a line based information for dropped packets in IPS mode - - drop: - enabled: no - filename: drop.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # output module to store extracted files to disk - # - # The files are stored to the log-dir in a format "file." where is - # an incrementing number starting at 1. For each file "file." a meta - # file "file..meta" is created. - # - # File extraction depends on a lot of things to be fully done: - # - stream reassembly depth. For optimal results, set this to 0 (unlimited) - # - http request / response body sizes. Again set to 0 for optimal results. - # - rules that contain the "filestore" keyword. - - file-store: - enabled: no # set to yes to enable - log-dir: files # directory to store the files - force-magic: no # force logging magic on all stored files - force-md5: no # force logging of md5 checksums - #waldo: file.waldo # waldo file to store the file_id across runs - - # output module to log files tracked in a easily parsable json format - - file-log: - enabled: no - filename: files-json.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - - - eve-log: - enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: eve.json - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - types: - - alert: - # payload: yes # enable dumping payload in Base64 - # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - # payload-printable: yes # enable dumping payload in printable (lossy) format - # packet: yes # enable dumping of packet (without stream segments) - # http-body: yes # enable dumping of http body in Base64 - # http-body-printable: yes # enable dumping of http body in printable format - metadata: yes # add L7/applayer fields, flowbit and other vars to the alert - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: yes - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -magic-file: /usr/share/file/magic - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if suricata is not able to keep pace. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# route-queue: 2 -# fail-open: yes - -# af-packet support -# Set threads to > 1 to use PACKET_FANOUT support -af-packet: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - # Default clusterid. AF_PACKET will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_round_robin: round robin load balancing - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independantly of the number - # of threads: - #ring-size: 2048 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap od IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - - interface: eth0 - threads: 1 - cluster-id: 98 - cluster-type: cluster_flow - defrag: yes - # buffer-size: 32768 - # disable-promisc: no - -# You can specify a threshold config file by setting "threshold-file" -# to the path of the threshold config file: -# threshold-file: /etc/suricata/threshold.config - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect-engine: - - profile: medium - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 - # When rule-reload is enabled, sending a USR2 signal to the Suricata process - # will trigger a live rule reload. Experimental feature, use with care. - #- rule-reload: true - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #- delayed-detect: yes - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - # On some cpu's/architectures it is beneficial to tie individual threads - # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, - # and each extra CPU/core has one "detect" thread. - # - # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. - # - set-cpu-affinity: no - # Tune cpu affinity of suricata threads. Each family of threads can be bound - # on specific CPUs. - cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - decode-cpu-set: - cpu: [ 0, 1 ] - mode: "balanced" - - stream-cpu-set: - cpu: [ "0-1" ] - - detect-cpu-set: - cpu: [ "all" ] - mode: "exclusive" # run detect threads in these cpus - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - - verdict-cpu-set: - cpu: [ 0 ] - prio: - default: "high" - - reject-cpu-set: - cpu: [ 0 ] - prio: - default: "low" - - output-cpu-set: - cpu: [ "all" ] - prio: - default: "medium" - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.5 - -# Cuda configuration. -cuda: - # The "mpm" profile. On not specifying any of these parameters, the engine's - # internal default values are used, which are same as the ones specified here. - - mpm: - # Threshold limit for no of packets buffered to the GPU. Once we hit this - # limit, we pass the buffer to the gpu. - packet-buffer-limit: 2400 - # The maximum length for a packet that we would buffer to the gpu. - # Anything over this is MPM'ed on the CPU. All entries > 0 are valid. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - packet-size-limit: 1500 - # No of packet buffers we initialize. All entries > 0 are valid. - packet-buffers: 10 - # The timeout limit for batching of packets in secs. If we don't fill the - # buffer within this timeout limit, we pass the currently filled buffer to the gpu. - # All entries > 0 are valid. - batching-timeout: 1 - # Specifies whether to use page-locked memory whereever possible. Accepted values - # are "enabled" and "disabled". - page-locked: enabled - # The device to use for the mpm. Currently we don't support load balancing - # on multiple gpus. In case you have multiple devices on your system, you - # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device-id associated with - # the card(s) on the system run "suricata --list-cuda-cards". - device-id: 0 - # No of Cuda streams used for asynchronous processing. All values > 0 are valid. - # For this option you need a device with Compute Capability > 1.0 and - # page-locked enabled to have any effect. - cuda-streams: 2 - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, -# ac and ac-gfbs. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. - -mpm-algo: ac - -# The memory settings for hash size of these algorithms can vary from lowest -# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max -# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - -# medium (1024) - high (2048). -# -# For B2g/B3g algorithms, there is a support for two different scan/search -# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and -# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms -# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & -# B3gSearchBNDMq. -# -# For B2g the different scan/search algorithms and, hash and bloom -# filter size settings. For B3g the different scan/search algorithms and, hash -# and bloom filter size settings. For wumanber the hash and bloom filter size -# settings. - -pattern-matcher: - - b2gc: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2gm: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2g: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b3g: - search-algo: B3gSearchBNDMq - hash-size: low - bf-size: medium - - wumanber: - hash-size: low - bf-size: medium - -# Defrag settings: - -defrag: - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 32mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - tcp: - new: 60 - established: 3600 - closed: 120 - emergency-new: 10 - emergency-established: 300 - emergency-closed: 20 - udp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - icmp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - -# Stream engine settings. Here the TCP stream tracking and reaasembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# max-sessions: 262144 # 256k concurrent sessions -# prealloc-sessions: 32768 # 32k sessions prealloc'd -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. - -stream: - memcap: 32mb - checksum-validation: yes # reject wrong csums - inline: no # no inline mode - reassembly: - memcap: 64mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 16777216 - -# Logging configuration. This is not about logging IDS alerts, but -# IDS output about what its doing, errors, etc. -logging: - - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overriden by the SC_LOG_LEVEL env var. - default-log-level: info - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overriden in an - # output section. You can leave this out to get the default. - # - # This value is overriden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overriden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - - file: - enabled: yes - filename: /var/log/suricata.log - - syslog: - enabled: yes - facility: local5 - format: "[%i] <%d> -- " - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/PF_RING.html -pfring: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. - # This is only supported in versions of PF_RING > 4.1.1. - cluster-type: cluster_round_robin - # bpf filter for this interface - #bpf-filter: tcp - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth0 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - -pcap: - - interface: eth0 - #buffer-size: 32768 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - -# Set the default rule path here to search for the files. -# if not set, it will look at the current working dir -default-rule-path: /etc/suricata/rules/ -rule-files: - -#Malware/trojan oriented rules - - emerging-trojan.rules - - emerging-malware.rules - - emerging-mobile_malware.rules - - emerging-worm.rules - - emerging-user_agents.rules - - emerging-current_events.rules - -#important but relatively low load rules you'll likely want to keep on - - emerging-ftp.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-attack_response.rules -# - emerging-icmp.rules - - emerging-scan.rules - - emerging-voip.rules - - emerging-imap.rules - - emerging-web_server.rules - - emerging-smtp.rules - - emerging-dns.rules - - emerging-misc.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-dos.rules - - emerging-telnet.rules - - emerging-exploit.rules - - emerging-tftp.rules - -#useful but often high load rules. Look here for performance tuning - - emerging-web_client.rules - - emerging-netbios.rules - -#things you'll want to look through and consider policy needs - - emerging-policy.rules -# - emerging-games.rules - - emerging-p2p.rules - - emerging-chat.rules - -#informational, not recommended for high speed nets -# - emerging-icmp_info.rules -# - emerging-info.rules -# - emerging-shellcode.rules -# - emerging-inappropriate.rules -# - emerging-web_specific_apps.rules -# - emerging-activex.rules - -#ip based rules - - botcc.rules -# - botcc.portgrouped.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - tor.rules - -#only use the scada_special if you have the scada extensions compiled int -# - emerging-scada_special.rules -# - emerging-scada.rules - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config - -# Holds variables that would be used by the engine. -vars: - - # Holds the address group vars that would be passed in a Signature. - # These would be retrieved during the Signature address parsing stage. - address-groups: - - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" - - EXTERNAL_NET: "any" - - HTTP_SERVERS: "$HOME_NET" - - SMTP_SERVERS: "$HOME_NET" - - SQL_SERVERS: "$HOME_NET" - - DNS_SERVERS: "$HOME_NET" - - TELNET_SERVERS: "$HOME_NET" - - AIM_SERVERS: "$EXTERNAL_NET" - - DNP3_SERVER: "$HOME_NET" - - DNP3_CLIENT: "$HOME_NET" - - MODBUS_CLIENT: "$HOME_NET" - - MODBUS_SERVER: "$HOME_NET" - - ENIP_CLIENT: "$HOME_NET" - - ENIP_SERVER: "$HOME_NET" - - - # Holds the port group vars that would be passed in a Signature. - # These would be retrieved during the Signature port parsing stage. - port-groups: - - HTTP_PORTS: "80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555" - - SHELLCODE_PORTS: "!80" - - ORACLE_PORTS: 1521 - - SSH_PORTS: 22 - - DNP3_PORTS: 20000 - - -# Set the order of alerts bassed on actions -# The default order is pass, drop, reject, alert -action-order: - - pass - - drop - - reject - - alert - - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [] - old-solaris: [] - solaris: [] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -########################################################################### -# Configure libhtp. -# -# -# default-config: Used when no server-config matches -# personality: List of personalities used by default -# request-body-limit: Limit reassembly of request body for inspection -# by http_client_body & pcre /P option. -# response-body-limit: Limit reassembly of response body for inspection -# by file_data, http_server_body & pcre /Q option. -# double-decode-path: Double decode path section of the URI -# double-decode-query: Double decode query section of the URI -# -# server-config: List of server configurations to use if address matches -# address: List of ip addresses or networks for this block -# personalitiy: List of personalities used by this block -# request-body-limit: Limit reassembly of request body for inspection -# by http_client_body & pcre /P option. -# response-body-limit: Limit reassembly of response body for inspection -# by file_data, http_server_body & pcre /Q option. -# double-decode-path: Double decode path section of the URI -# double-decode-query: Double decode query section of the URI -# -# Currently Available Personalities: -# Minimal -# Generic -# IDS (default) -# IIS_4_0 -# IIS_5_0 -# IIS_5_1 -# IIS_6_0 -# IIS_7_0 -# IIS_7_5 -# Apache -# Apache_2_2 -########################################################################### -libhtp: - - default-config: - personality: IDS - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 0 - response-body-limit: 0 - double-decode-path: no - double-decode-query: no - -##### Set proper personality for your net ####### -# server-config: -# -# - apache: -# address: [192.168.1.0/24, 127.0.0.0/8, "::1"] -# personality: Apache_2_2 -# # Can be specified in kb, mb, gb. Just a number indicates -# # it's in bytes. -# request-body-limit: 0 -# response-body-limit: 0 -# double-decode-path: no -# double-decode-query: no -# -# - iis7: -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# personality: IIS_7_0 -# # Can be specified in kb, mb, gb. Just a number indicates -# # it's in bytes. -# request-body-limit: 0 -# response-body-limit: 0 -# double-decode-path: no -# double-decode-query: no - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - sort: avgticks - - # Limit the number of items printed at exit. - #limit: 100 - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - From 1776922968eba7d27fc0d0044cc7f1bd9b71cc92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 6 Feb 2024 12:20:53 +0100 Subject: [PATCH 02/34] `lsof` and `openssl` are installed separately --- unattended_installer/install_functions/checks.sh | 9 +++++++++ .../install_functions/installCommon.sh | 10 ++++++++++ unattended_installer/install_functions/installMain.sh | 1 - 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/unattended_installer/install_functions/checks.sh b/unattended_installer/install_functions/checks.sh index c1754d4855..b25327394f 100644 --- a/unattended_installer/install_functions/checks.sh +++ b/unattended_installer/install_functions/checks.sh @@ -338,6 +338,15 @@ function checks_specifications() { function checks_ports() { + dep="lsof" + if [ "${sys_type}" == "yum" ]; then + installCommon_yumInstallList "${dep}" + wia_dependencies_installed+=("${dep}") + elif [ "${sys_type}" == "apt-get" ]; then + installCommon_aptInstallList "${dep}" + wia_dependencies_installed+=("${dep}") + fi + common_logger -d "Checking ports availability." used_port=0 ports=("$@") diff --git a/unattended_installer/install_functions/installCommon.sh b/unattended_installer/install_functions/installCommon.sh index 500c76f002..b15be9fb4b 100644 --- a/unattended_installer/install_functions/installCommon.sh +++ b/unattended_installer/install_functions/installCommon.sh @@ -214,6 +214,16 @@ function installCommon_createInstallFiles() { if eval "mkdir /tmp/wazuh-install-files ${debug}"; then common_logger "Generating configuration files." + + dep="openssl" + if [ "${sys_type}" == "yum" ]; then + installCommon_yumInstallList "${dep}" + wia_dependencies_installed+=("${dep}") + elif [ "${sys_type}" == "apt-get" ]; then + installCommon_aptInstallList "${dep}" + wia_dependencies_installed+=("${dep}") + fi + if [ -n "${configurations}" ]; then cert_checkOpenSSL fi diff --git a/unattended_installer/install_functions/installMain.sh b/unattended_installer/install_functions/installMain.sh index 292debd018..52e1bb9cc7 100755 --- a/unattended_installer/install_functions/installMain.sh +++ b/unattended_installer/install_functions/installMain.sh @@ -276,7 +276,6 @@ function main() { # -------------- Wazuh repo ---------------------- if [ -n "${AIO}" ] || [ -n "${indexer}" ] || [ -n "${dashboard}" ] || [ -n "${wazuh}" ]; then - installCommon_installPrerequisites check_curlVersion installCommon_addWazuhRepo fi From 9ecc7a1c5edd578f6b3cb528620a985baf186324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Wed, 7 Feb 2024 11:39:20 +0100 Subject: [PATCH 03/34] Fixed uninstalling dependencies when not installing --- unattended_installer/install_functions/checks.sh | 6 ++++-- unattended_installer/install_functions/installCommon.sh | 4 +++- unattended_installer/install_functions/installVariables.sh | 5 +++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/unattended_installer/install_functions/checks.sh b/unattended_installer/install_functions/checks.sh index b25327394f..7a75840ffd 100644 --- a/unattended_installer/install_functions/checks.sh +++ b/unattended_installer/install_functions/checks.sh @@ -341,10 +341,12 @@ function checks_ports() { dep="lsof" if [ "${sys_type}" == "yum" ]; then installCommon_yumInstallList "${dep}" - wia_dependencies_installed+=("${dep}") elif [ "${sys_type}" == "apt-get" ]; then installCommon_aptInstallList "${dep}" - wia_dependencies_installed+=("${dep}") + fi + + if [ "${#not_installed[@]}" -gt 0 ]; then + wia_dependencies_installed+=("${dep}") fi common_logger -d "Checking ports availability." diff --git a/unattended_installer/install_functions/installCommon.sh b/unattended_installer/install_functions/installCommon.sh index b15be9fb4b..06bb5df209 100644 --- a/unattended_installer/install_functions/installCommon.sh +++ b/unattended_installer/install_functions/installCommon.sh @@ -218,9 +218,11 @@ function installCommon_createInstallFiles() { dep="openssl" if [ "${sys_type}" == "yum" ]; then installCommon_yumInstallList "${dep}" - wia_dependencies_installed+=("${dep}") elif [ "${sys_type}" == "apt-get" ]; then installCommon_aptInstallList "${dep}" + fi + + if [ "${#not_installed[@]}" -gt 0 ]; then wia_dependencies_installed+=("${dep}") fi diff --git a/unattended_installer/install_functions/installVariables.sh b/unattended_installer/install_functions/installVariables.sh index c83a4af5a9..ebfa2c96ff 100644 --- a/unattended_installer/install_functions/installVariables.sh +++ b/unattended_installer/install_functions/installVariables.sh @@ -56,8 +56,9 @@ wazuh_aio_ports=( 9200 9300 1514 1515 1516 55000 "${http_port}") readonly wazuh_indexer_ports=( 9200 9300 ) readonly wazuh_manager_ports=( 1514 1515 1516 55000 ) wazuh_dashboard_port="${http_port}" -readonly wia_yum_dependencies=( systemd grep tar coreutils sed procps-ng gawk lsof curl openssl ) -readonly wia_apt_dependencies=( systemd grep tar coreutils sed procps gawk lsof curl openssl ) +# `lsof` and `openssl` are installed separately +readonly wia_yum_dependencies=( systemd grep tar coreutils sed procps-ng gawk curl ) +readonly wia_apt_dependencies=( systemd grep tar coreutils sed procps gawk curl ) readonly wazuh_yum_dependencies=( libcap ) readonly wazuh_apt_dependencies=( apt-transport-https libcap2-bin software-properties-common gnupg ) readonly indexer_yum_dependencies=( coreutils ) From 8123ee03a1de63c678500ef8d8bde2391f71acc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Wed, 7 Feb 2024 11:39:37 +0100 Subject: [PATCH 04/34] Changed to 4.8.0 for testing --- unattended_installer/install_functions/installVariables.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unattended_installer/install_functions/installVariables.sh b/unattended_installer/install_functions/installVariables.sh index ebfa2c96ff..8f3d98b558 100644 --- a/unattended_installer/install_functions/installVariables.sh +++ b/unattended_installer/install_functions/installVariables.sh @@ -8,7 +8,7 @@ ## Package vars readonly wazuh_major="4.8" -readonly wazuh_version="4.8.2" +readonly wazuh_version="4.8.0" readonly filebeat_version="7.10.2" readonly wazuh_install_vesion="0.1" readonly source_branch="v${wazuh_version}" From bd78a8e5c9d13a684d803a5222387ee150bf9b76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Fri, 9 Feb 2024 12:08:59 +0100 Subject: [PATCH 05/34] Removed debug variable in Admin certificate generation --- unattended_installer/cert_tool/certFunctions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unattended_installer/cert_tool/certFunctions.sh b/unattended_installer/cert_tool/certFunctions.sh index 425b7f695d..ffc7806d29 100644 --- a/unattended_installer/cert_tool/certFunctions.sh +++ b/unattended_installer/cert_tool/certFunctions.sh @@ -81,7 +81,7 @@ function cert_generateAdmincertificate() { common_logger "Generating Admin certificates." common_logger -d "Generating Admin private key." - cert_executeAndValidate "openssl genrsa -out ${cert_tmp_path}/admin-key-temp.pem 2048 ${debug}" + cert_executeAndValidate "openssl genrsa -out ${cert_tmp_path}/admin-key-temp.pem 2048" common_logger -d "Converting Admin private key to PKCS8 format." cert_executeAndValidate "openssl pkcs8 -inform PEM -outform PEM -in ${cert_tmp_path}/admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${cert_tmp_path}/admin-key.pem" common_logger -d "Generating Admin CSR." From 1b35009a92bef20073f54db7615b89ed84ae253d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 13 Feb 2024 16:13:17 +0100 Subject: [PATCH 06/34] Improved cleanup in OVA generation --- ova/assets/steps.sh | 5 ++++- ova/provision.sh | 16 +++++++++++++--- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/ova/assets/steps.sh b/ova/assets/steps.sh index 2a76dcbc3f..0f62b7aa8a 100644 --- a/ova/assets/steps.sh +++ b/ova/assets/steps.sh @@ -74,7 +74,10 @@ clean() { # Remove logs find /var/log/ -type f -exec bash -c 'cat /dev/null > {}' \; - find /var/ossec/logs/ -type f -exec bash -c 'cat /dev/null > {}' \; + find /var/ossec/logs -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; + find /var/log/wazuh-indexer -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; + find /var/log/filebeat -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; + find /usr/share/wazuh-dashboard/data/wazuh/logs -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; cat /dev/null > ~/.bash_history && history -c diff --git a/ova/provision.sh b/ova/provision.sh index 96ebd8abdd..569641d4d1 100755 --- a/ova/provision.sh +++ b/ova/provision.sh @@ -8,6 +8,7 @@ BUILDER="builder.sh" INSTALLER="wazuh-install.sh" SYSTEM_USER="wazuh-user" HOSTNAME="wazuh-server" +INDEXES=("wazuh-alerts-*" "wazuh-archives-*" "wazuh-states-vulnerabilities-*" "wazuh-statistics-*" "wazuh-monitoring-*") CURRENT_PATH="$( cd $(dirname $0) ; pwd -P )" ASSETS_PATH="${CURRENT_PATH}/assets" @@ -42,9 +43,18 @@ preInstall # Install bash ${RESOURCES_PATH}/${INSTALLER} ${INSTALL_ARGS} -systemctl stop wazuh-dashboard filebeat wazuh-indexer wazuh-manager +systemctl stop filebeat wazuh-manager + +# Delete indexes +for index in "${INDEXES[@]}"; do + curl -u admin:admin -XDELETE "https://127.0.0.1:9200/$index" -k +done + +# Recreate empty indexes (wazuh-alerts and wazuh-archives) +bash /usr/share/wazuh-indexer/bin/indexer-ism-init.sh -i 127.0.0.1 -p admin + +systemctl stop wazuh-indexer wazuh-dashboard systemctl enable wazuh-manager -rm -f /var/log/wazuh-indexer/* -rm -f /var/log/filebeat/* + clean From c7f538cdac3cb75a116f38c410cb1bd6eab67f6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Wed, 14 Feb 2024 12:18:31 +0100 Subject: [PATCH 07/34] Added `postProvision.sh` script to OVA generation --- ova/Vagrantfile | 2 ++ ova/assets/postProvision.sh | 31 +++++++++++++++++++++++++++++++ ova/assets/steps.sh | 9 --------- 3 files changed, 33 insertions(+), 9 deletions(-) create mode 100644 ova/assets/postProvision.sh diff --git a/ova/Vagrantfile b/ova/Vagrantfile index 4a3409ab1c..2d2da7ebec 100755 --- a/ova/Vagrantfile +++ b/ova/Vagrantfile @@ -23,4 +23,6 @@ Vagrant.configure("2") do |config| # Provision stage config.vm.provision :shell, path: "provision.sh", :args => "#{ENV['PACKAGES_REPOSITORY']} #{ENV['DEBUG']}" + # Provision cleanup stage + config.vm.provision :shell, path: "assets/postProvision.sh", :args => "#{ENV['DEBUG']}" end diff --git a/ova/assets/postProvision.sh b/ova/assets/postProvision.sh new file mode 100644 index 0000000000..a44275c510 --- /dev/null +++ b/ova/assets/postProvision.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +DEBUG=$1 +[[ ${DEBUG} = "yes" ]] && set -ex || set -e + +CURRENT_PATH="$( cd $(dirname $0) ; pwd -P )" +ASSETS_PATH="${CURRENT_PATH}/assets" +CUSTOM_PATH="${ASSETS_PATH}/custom" +SYSTEM_USER="wazuh-user" + +# Remove everything related to vagrant +# mv ${CUSTOM_PATH}/removeVagrant.service /etc/systemd/system/ +# sed -i "s/USER/${SYSTEM_USER}/g" /etc/systemd/system/removeVagrant.service +# mv ${CUSTOM_PATH}/removeVagrant.sh /home/${SYSTEM_USER}/ +# sed -i "s/USER/${SYSTEM_USER}/g" /home/${SYSTEM_USER}/removeVagrant.sh +# chmod 755 /home/${SYSTEM_USER}/removeVagrant.sh +# systemctl daemon-reload +# systemctl enable removeVagrant.service + +# Clear synced files +rm -rf ${CURRENT_PATH}/* ${CURRENT_PATH}/.gitignore + +# Remove logs +find /var/log/ -type f -exec bash -c 'cat /dev/null > {}' \; +find /var/ossec/logs -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; +find /var/log/wazuh-indexer -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; +find /var/log/filebeat -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; +find /usr/share/wazuh-dashboard/data/wazuh/logs -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; + +history -c +shutdown -r now > /dev/null 2>&1 \ No newline at end of file diff --git a/ova/assets/steps.sh b/ova/assets/steps.sh index 0f62b7aa8a..a8e5acecad 100644 --- a/ova/assets/steps.sh +++ b/ova/assets/steps.sh @@ -66,19 +66,10 @@ clean() { rm -f /securityadmin_demo.sh yum clean all - systemctl daemon-reload # Clear synced files rm -rf ${CURRENT_PATH}/* ${CURRENT_PATH}/.gitignore - - # Remove logs - find /var/log/ -type f -exec bash -c 'cat /dev/null > {}' \; - find /var/ossec/logs -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; - find /var/log/wazuh-indexer -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; - find /var/log/filebeat -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; - find /usr/share/wazuh-dashboard/data/wazuh/logs -type f -execdir sh -c 'cat /dev/null > "$1"' _ {} \; - cat /dev/null > ~/.bash_history && history -c } From 2d0f5b12d5c8a61a051cba76b6cc77fd1bf23422 Mon Sep 17 00:00:00 2001 From: MiguelazoDS Cazajous-Miguel Date: Sat, 10 Feb 2024 16:48:17 -0300 Subject: [PATCH 08/34] Do not decompress .tar.xz file, remove xz dependency --- debs/SPECS/wazuh-manager/debian/control | 2 +- debs/SPECS/wazuh-manager/debian/postinst | 12 ++---------- debs/SPECS/wazuh-manager/debian/rules | 2 +- rpms/SPECS/wazuh-manager.spec | 12 +++--------- 4 files changed, 7 insertions(+), 21 deletions(-) diff --git a/debs/SPECS/wazuh-manager/debian/control b/debs/SPECS/wazuh-manager/debian/control index 907ba3812b..bbdeb2a7c6 100644 --- a/debs/SPECS/wazuh-manager/debian/control +++ b/debs/SPECS/wazuh-manager/debian/control @@ -8,7 +8,7 @@ Homepage: http://www.wazuh.com Package: wazuh-manager Architecture: any -Depends: ${shlibs:Depends}, libc6 (>= 2.7), lsb-release, debconf, adduser, xz-utils +Depends: ${shlibs:Depends}, libc6 (>= 2.7), lsb-release, debconf, adduser Suggests: expect Conflicts: ossec-hids-agent, wazuh-agent, ossec-hids, wazuh-api Replaces: wazuh-api diff --git a/debs/SPECS/wazuh-manager/debian/postinst b/debs/SPECS/wazuh-manager/debian/postinst index fcb507b51a..974441981b 100644 --- a/debs/SPECS/wazuh-manager/debian/postinst +++ b/debs/SPECS/wazuh-manager/debian/postinst @@ -15,7 +15,6 @@ case "$1" in OSMYSHELL="/sbin/nologin" SCRIPTS_DIR="${WAZUH_GLOBAL_TMP_DIR}/manager_installation_scripts" SCA_BASE_DIR="${SCRIPTS_DIR}/sca" - VD_FILENAME='vd_1.0.0_vd_4.8.0.tar.xz' if [ -d /run/systemd/system ]; then rm -f /etc/init.d/wazuh-manager @@ -72,13 +71,6 @@ case "$1" in chown ${USER}:${GROUP} ${DIR}/queue/db/global.db* fi - if [ -f "${DIR}/${VD_FILENAME}" ]; then - tar -xf ${DIR}/${VD_FILENAME} -C ${DIR} - chown ${USER}:${GROUP} ${DIR}/queue/vd - chown ${USER}:${GROUP} ${DIR}/queue/vd_updater - rm -rf ${DIR}/${VD_FILENAME} - fi - # Delete uncompatible DBs versions if [ ! -z $2 ]; then @@ -274,7 +266,7 @@ case "$1" in find ${DIR}/ -group ossec -user ossecr -print0 | xargs -0 chown ${USER}:${GROUP} > /dev/null 2>&1 || true deluser ossecr > /dev/null 2>&1 fi - if getent group ossec > /dev/null 2>&1; then + if getent group ossec > /dev/null 2>&1; then delgroup ossec > /dev/null 2>&1 fi fi @@ -311,7 +303,7 @@ case "$1" in if [ -z "$(ls -A ${WAZUH_GLOBAL_TMP_DIR})" ]; then rm -rf ${WAZUH_GLOBAL_TMP_DIR} fi - + ;; diff --git a/debs/SPECS/wazuh-manager/debian/rules b/debs/SPECS/wazuh-manager/debian/rules index 8a83b9e4b3..e884f5987a 100644 --- a/debs/SPECS/wazuh-manager/debian/rules +++ b/debs/SPECS/wazuh-manager/debian/rules @@ -64,7 +64,7 @@ override_dh_install: USER_GENERATE_AUTHD_CERT="y" \ USER_AUTO_START="n" \ USER_CREATE_SSL_CERT="n" \ - DOWNLOAD_CONTENT="yes" \ + DOWNLOAD_CONTENT="y" \ ./install.sh # Copying init.d script diff --git a/rpms/SPECS/wazuh-manager.spec b/rpms/SPECS/wazuh-manager.spec index 5f0a512bb9..3008fbbd00 100644 --- a/rpms/SPECS/wazuh-manager.spec +++ b/rpms/SPECS/wazuh-manager.spec @@ -22,7 +22,7 @@ Conflicts: ossec-hids ossec-hids-agent wazuh-agent wazuh-local Obsoletes: wazuh-api < 4.0.0 AutoReqProv: no -Requires: coreutils xz +Requires: coreutils BuildRequires: coreutils glibc-devel automake autoconf libtool policycoreutils-python curl perl ExclusiveOS: linux @@ -80,7 +80,7 @@ echo 'USER_CA_STORE="/path/to/my_cert.pem"' >> ./etc/preloaded-vars.conf echo 'USER_GENERATE_AUTHD_CERT="y"' >> ./etc/preloaded-vars.conf echo 'USER_AUTO_START="n"' >> ./etc/preloaded-vars.conf echo 'USER_CREATE_SSL_CERT="n"' >> ./etc/preloaded-vars.conf -echo 'DOWNLOAD_CONTENT="yes"' >> ./etc/preloaded-vars.conf +echo 'DOWNLOAD_CONTENT="y"' >> ./etc/preloaded-vars.conf ./install.sh # Create directories @@ -309,12 +309,6 @@ if [ $1 = 2 ]; then fi %define _vdfilename vd_1.0.0_vd_4.8.0.tar.xz -if [ -f "%{_localstatedir}/%{_vdfilename}" ]; then - tar -xf %{_localstatedir}/%{_vdfilename} -C %{_localstatedir} - chown wazuh:wazuh %{_localstatedir}/queue/vd - chown wazuh:wazuh %{_localstatedir}/queue/vd_updater - rm -rf %{_localstatedir}/%{_vdfilename} -fi # Fresh install code block if [ $1 = 1 ]; then @@ -737,7 +731,7 @@ rm -fr %{buildroot} %attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/manager_installation_scripts/etc/templates/config/centos/* %dir %attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/manager_installation_scripts/etc/templates/config/rhel %attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/manager_installation_scripts/etc/templates/config/rhel/* -%attr(750, wazuh, wazuh) %{_localstatedir}/%{_vdfilename} +%attr(750, wazuh, wazuh) %{_localstatedir}/tmp/%{_vdfilename} %dir %attr(750, root, wazuh) %{_localstatedir}/queue %attr(600, root, wazuh) %ghost %{_localstatedir}/queue/agents-timestamp %dir %attr(750, wazuh, wazuh) %{_localstatedir}/queue/agentless From 1c06f49491430bda545dbdf01e25b36417a85bb8 Mon Sep 17 00:00:00 2001 From: Daniel Sappa Date: Fri, 16 Feb 2024 21:50:29 +0000 Subject: [PATCH 09/34] Fix passwords parser in success test --- .github/actions/passwords-tool/tests-stack-success.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/passwords-tool/tests-stack-success.sh b/.github/actions/passwords-tool/tests-stack-success.sh index 9b87d1eb80..f1dd2fa3bc 100644 --- a/.github/actions/passwords-tool/tests-stack-success.sh +++ b/.github/actions/passwords-tool/tests-stack-success.sh @@ -22,7 +22,7 @@ echo '::endgroup::' echo '::group:: Change all passwords except Wazuh API ones.' -mapfile -t pass < <(bash wazuh-passwords-tool.sh -a | awk '{ print $NF }' | sed \$d | sed '1d' ) +mapfile -t pass < <(bash wazuh-passwords-tool.sh -a | grep 'The password for' | awk '{ print $NF }') for i in "${!users[@]}"; do if curl -s -XGET https://localhost:9200/ -u "${users[i]}":"${pass[i]}" -k -w %{http_code} | grep "401"; then exit 1 @@ -35,7 +35,7 @@ echo '::group:: Change all passwords.' wazuh_pass="$(cat wazuh-install-files/wazuh-passwords.txt | awk "/username: 'wazuh'/{getline;print;}" | awk '{ print $2 }' | tr -d \' )" -mapfile -t passall < <(bash wazuh-passwords-tool.sh -a -au wazuh -ap "${wazuh_pass}" | awk '{ print $NF }' | sed \$d ) +mapfile -t passall < <(bash wazuh-passwords-tool.sh -a -au wazuh -ap "${wazuh_pass}" | grep 'The password for' | awk '{ print $NF }' ) passindexer=("${passall[@]:0:6}") passapi=("${passall[@]:(-2)}") @@ -63,7 +63,7 @@ echo '::endgroup::' echo '::group:: Change all passwords except Wazuh API ones using a file.' -mapfile -t passfile < <(bash wazuh-passwords-tool.sh -f wazuh-install-files/wazuh-passwords.txt | awk '{ print $NF }' | sed \$d | sed '1d' ) +mapfile -t passfile < <(bash wazuh-passwords-tool.sh -f wazuh-install-files/wazuh-passwords.txt | grep 'The password for' | awk '{ print $NF }' ) for i in "${!users[@]}"; do if curl -s -XGET https://localhost:9200/ -u "${users[i]}":"${passfile[i]}" -k -w %{http_code} | grep "401"; then exit 1 @@ -72,7 +72,7 @@ done echo '::endgroup::' echo '::group:: Change all passwords from a file.' -mapfile -t passallf < <(bash wazuh-passwords-tool.sh -f wazuh-install-files/wazuh-passwords.txt -au wazuh -ap BkJt92r*ndzN.CkCYWn?d7i5Z7EaUt63 | awk '{ print $NF }' | sed \$d ) +mapfile -t passallf < <(bash wazuh-passwords-tool.sh -f wazuh-install-files/wazuh-passwords.txt -au wazuh -ap BkJt92r*ndzN.CkCYWn?d7i5Z7EaUt63 | grep 'The password for' | awk '{ print $NF }' ) passindexerf=("${passallf[@]:0:6}") passapif=("${passallf[@]:(-2)}") From 237513182de8c02f2f630b262d8a48c7c6e5ad21 Mon Sep 17 00:00:00 2001 From: "Victor M. Fernandez-Castro" Date: Mon, 19 Feb 2024 10:24:34 +0100 Subject: [PATCH 10/34] Bump version to 4.7.3 (#2832) * Bump version to 4.7.3 * Amend `source_branch` version bump --- CHANGELOG.md | 4 ++++ VERSION | 2 +- aix/SPECS/wazuh-agent-aix.spec | 4 +++- debs/SPECS/wazuh-agent/debian/changelog | 6 ++++++ debs/SPECS/wazuh-agent/debian/copyright | 2 +- debs/SPECS/wazuh-manager/debian/changelog | 6 ++++++ debs/SPECS/wazuh-manager/debian/copyright | 2 +- macos/specs/wazuh-agent-arm64.pkgproj | 4 ++-- macos/specs/wazuh-agent-intel64.pkgproj | 4 ++-- rpms/SPECS/wazuh-agent.spec | 4 +++- rpms/SPECS/wazuh-manager.spec | 4 +++- solaris/solaris10/pkginfo | 4 ++-- stack/dashboard/deb/debian/changelog | 6 ++++++ stack/dashboard/deb/debian/copyright | 2 +- stack/dashboard/rpm/wazuh-dashboard.spec | 2 ++ stack/indexer/deb/debian/changelog | 6 ++++++ stack/indexer/deb/debian/copyright | 2 +- stack/indexer/rpm/wazuh-indexer.spec | 2 ++ tests/unattended/unit/suites/test-common.sh | 4 ++-- tests/unattended/unit/suites/test-dashboard.sh | 10 +++++----- tests/unattended/unit/suites/test-indexer.sh | 8 ++++---- unattended_installer/builder.sh | 2 +- .../install_functions/installVariables.sh | 2 +- 23 files changed, 65 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1f86028dd..3a40d68414 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Change Log All notable changes to this project will be documented in this file. +## [4.7.3] + +- https://github.com/wazuh/wazuh-packages/releases/tag/v4.7.3 + ## [4.7.2] - https://github.com/wazuh/wazuh-packages/releases/tag/v4.7.2 diff --git a/VERSION b/VERSION index af9764a59e..87b18a567e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.7.2 +4.7.3 diff --git a/aix/SPECS/wazuh-agent-aix.spec b/aix/SPECS/wazuh-agent-aix.spec index 8ba310dd13..73891470d5 100644 --- a/aix/SPECS/wazuh-agent-aix.spec +++ b/aix/SPECS/wazuh-agent-aix.spec @@ -1,6 +1,6 @@ # Spec file for AIX systems Name: wazuh-agent -Version: 4.7.2 +Version: 4.7.3 Release: 1 License: GPL URL: https://www.wazuh.com/ @@ -290,6 +290,8 @@ rm -fr %{buildroot} %attr(750, root, wazuh) %{_localstatedir}/wodles/* %changelog +* Thu Feb 22 2024 support - 4.7.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html * Tue Jan 09 2024 support - 4.7.2 - More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html * Wed Dec 13 2023 support - 4.7.1 diff --git a/debs/SPECS/wazuh-agent/debian/changelog b/debs/SPECS/wazuh-agent/debian/changelog index 90d49039ab..b99dd738e8 100644 --- a/debs/SPECS/wazuh-agent/debian/changelog +++ b/debs/SPECS/wazuh-agent/debian/changelog @@ -1,3 +1,9 @@ +wazuh-agent (4.7.3-RELEASE) stable; urgency=low + + * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html + + -- Wazuh, Inc Thu, 22 Feb 2024 00:00:00 +0000 + wazuh-agent (4.7.2-RELEASE) stable; urgency=low * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html diff --git a/debs/SPECS/wazuh-agent/debian/copyright b/debs/SPECS/wazuh-agent/debian/copyright index 35a04448c8..5b257597a6 100644 --- a/debs/SPECS/wazuh-agent/debian/copyright +++ b/debs/SPECS/wazuh-agent/debian/copyright @@ -1,6 +1,6 @@ This work was packaged for Debian by: - Wazuh, Inc on Tue, 09 Jan 2024 00:00:00 +0000 + Wazuh, Inc on Thu, 22 Feb 2024 00:00:00 +0000 It was downloaded from: diff --git a/debs/SPECS/wazuh-manager/debian/changelog b/debs/SPECS/wazuh-manager/debian/changelog index d5cbb3c422..7b76848acf 100644 --- a/debs/SPECS/wazuh-manager/debian/changelog +++ b/debs/SPECS/wazuh-manager/debian/changelog @@ -1,3 +1,9 @@ +wazuh-manager (4.7.3-RELEASE) stable; urgency=low + + * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html + + -- Wazuh, Inc Thu, 22 Feb 2024 00:00:00 +0000 + wazuh-manager (4.7.2-RELEASE) stable; urgency=low * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html diff --git a/debs/SPECS/wazuh-manager/debian/copyright b/debs/SPECS/wazuh-manager/debian/copyright index 35a04448c8..5b257597a6 100644 --- a/debs/SPECS/wazuh-manager/debian/copyright +++ b/debs/SPECS/wazuh-manager/debian/copyright @@ -1,6 +1,6 @@ This work was packaged for Debian by: - Wazuh, Inc on Tue, 09 Jan 2024 00:00:00 +0000 + Wazuh, Inc on Thu, 22 Feb 2024 00:00:00 +0000 It was downloaded from: diff --git a/macos/specs/wazuh-agent-arm64.pkgproj b/macos/specs/wazuh-agent-arm64.pkgproj index 444635d1ef..01ca2626f5 100644 --- a/macos/specs/wazuh-agent-arm64.pkgproj +++ b/macos/specs/wazuh-agent-arm64.pkgproj @@ -812,7 +812,7 @@ USE_HFS+_COMPRESSION VERSION - 4.7.2-1 + 4.7.3-1 TYPE 0 @@ -1240,7 +1240,7 @@ NAME - wazuh-agent-4.7.2-1.arm64 + wazuh-agent-4.7.3-1.arm64 PAYLOAD_ONLY TREAT_MISSING_PRESENTATION_DOCUMENTS_AS_WARNING diff --git a/macos/specs/wazuh-agent-intel64.pkgproj b/macos/specs/wazuh-agent-intel64.pkgproj index 71aa74e9eb..356ee5455d 100644 --- a/macos/specs/wazuh-agent-intel64.pkgproj +++ b/macos/specs/wazuh-agent-intel64.pkgproj @@ -812,7 +812,7 @@ USE_HFS+_COMPRESSION VERSION - 4.7.2-1 + 4.7.3-1 TYPE 0 @@ -1239,7 +1239,7 @@ NAME - wazuh-agent-4.7.2-1.intel64 + wazuh-agent-4.7.3-1.intel64 PAYLOAD_ONLY TREAT_MISSING_PRESENTATION_DOCUMENTS_AS_WARNING diff --git a/rpms/SPECS/wazuh-agent.spec b/rpms/SPECS/wazuh-agent.spec index 6f464ae967..1dbe68555a 100644 --- a/rpms/SPECS/wazuh-agent.spec +++ b/rpms/SPECS/wazuh-agent.spec @@ -7,7 +7,7 @@ Summary: Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring Name: wazuh-agent -Version: 4.7.2 +Version: 4.7.3 Release: %{_release} License: GPL Group: System Environment/Daemons @@ -599,6 +599,8 @@ rm -fr %{buildroot} %attr(750, root, wazuh) %{_localstatedir}/wodles/gcloud/* %changelog +* Thu Feb 22 2024 support - 4.7.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html * Tue Jan 09 2024 support - 4.7.2 - More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html * Wed Dec 13 2023 support - 4.7.1 diff --git a/rpms/SPECS/wazuh-manager.spec b/rpms/SPECS/wazuh-manager.spec index 9064a94672..c5aa0f6c54 100644 --- a/rpms/SPECS/wazuh-manager.spec +++ b/rpms/SPECS/wazuh-manager.spec @@ -7,7 +7,7 @@ Summary: Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring Name: wazuh-manager -Version: 4.7.2 +Version: 4.7.3 Release: %{_release} License: GPL Group: System Environment/Daemons @@ -827,6 +827,8 @@ rm -fr %{buildroot} %attr(750, root, wazuh) %{_localstatedir}/wodles/gcloud/* %changelog +* Thu Feb 22 2024 support - 4.7.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html * Tue Jan 09 2024 support - 4.7.2 - More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html * Wed Dec 13 2023 support - 4.7.1 diff --git a/solaris/solaris10/pkginfo b/solaris/solaris10/pkginfo index 34522af26c..6175636bd8 100644 --- a/solaris/solaris10/pkginfo +++ b/solaris/solaris10/pkginfo @@ -1,11 +1,11 @@ NAME=Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. PKG="wazuh-agent" -VERSION="4.7.2" +VERSION="4.7.3" ARCH="i386" CLASSES="none" CATEGORY="system" VENDOR="Wazuh, Inc " -PSTAMP="17Dec2023" +PSTAMP="22Feb2024" EMAIL="info@wazuh.com" ISTATES="S s 1 2 3" RSTATES="S s 1 2 3" diff --git a/stack/dashboard/deb/debian/changelog b/stack/dashboard/deb/debian/changelog index 429d89fdc4..913d3ebbb4 100644 --- a/stack/dashboard/deb/debian/changelog +++ b/stack/dashboard/deb/debian/changelog @@ -1,3 +1,9 @@ +wazuh-dashboard (4.7.3-RELEASE) stable; urgency=low + + * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html + + -- Wazuh, Inc Thu, 22 Feb 2024 00:00:00 +0000 + wazuh-dashboard (4.7.2-RELEASE) stable; urgency=low * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html diff --git a/stack/dashboard/deb/debian/copyright b/stack/dashboard/deb/debian/copyright index 0d4c3b6b72..fdc3648e53 100644 --- a/stack/dashboard/deb/debian/copyright +++ b/stack/dashboard/deb/debian/copyright @@ -1,6 +1,6 @@ This work was packaged for Debian by: - Wazuh, Inc on Tue, 09 Jan 2024 00:00:00 +0000 + Wazuh, Inc on Thu, 22 Feb 2024 00:00:00 +0000 It was downloaded from: diff --git a/stack/dashboard/rpm/wazuh-dashboard.spec b/stack/dashboard/rpm/wazuh-dashboard.spec index 6c808e10c6..72bbc0d852 100644 --- a/stack/dashboard/rpm/wazuh-dashboard.spec +++ b/stack/dashboard/rpm/wazuh-dashboard.spec @@ -408,6 +408,8 @@ rm -fr %{buildroot} %attr(640, root, root) "/etc/systemd/system/wazuh-dashboard.service" %changelog +* Thu Feb 22 2024 support - 4.7.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html * Tue Jan 09 2024 support - 4.7.2 - More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html * Wed Dec 13 2023 support - 4.7.1 diff --git a/stack/indexer/deb/debian/changelog b/stack/indexer/deb/debian/changelog index 77863584b8..f9005e6606 100644 --- a/stack/indexer/deb/debian/changelog +++ b/stack/indexer/deb/debian/changelog @@ -1,3 +1,9 @@ +wazuh-indexer (4.7.3-RELEASE) stable; urgency=low + + * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html + + -- Wazuh, Inc Thu, 22 Feb 2024 00:00:00 +0000 + wazuh-indexer (4.7.2-RELEASE) stable; urgency=low * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html diff --git a/stack/indexer/deb/debian/copyright b/stack/indexer/deb/debian/copyright index 0d4c3b6b72..fdc3648e53 100644 --- a/stack/indexer/deb/debian/copyright +++ b/stack/indexer/deb/debian/copyright @@ -1,6 +1,6 @@ This work was packaged for Debian by: - Wazuh, Inc on Tue, 09 Jan 2024 00:00:00 +0000 + Wazuh, Inc on Thu, 22 Feb 2024 00:00:00 +0000 It was downloaded from: diff --git a/stack/indexer/rpm/wazuh-indexer.spec b/stack/indexer/rpm/wazuh-indexer.spec index 6451397765..6296e77a4c 100755 --- a/stack/indexer/rpm/wazuh-indexer.spec +++ b/stack/indexer/rpm/wazuh-indexer.spec @@ -1444,6 +1444,8 @@ rm -fr %{buildroot} %changelog +* Thu Feb 22 2024 support - 4.7.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html * Tue Jan 09 2024 support - 4.7.2 - More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html * Wed Dec 13 2023 support - 4.7.1 diff --git a/tests/unattended/unit/suites/test-common.sh b/tests/unattended/unit/suites/test-common.sh index 8ee2d7a0ba..7a9ac19ae6 100644 --- a/tests/unattended/unit/suites/test-common.sh +++ b/tests/unattended/unit/suites/test-common.sh @@ -61,7 +61,7 @@ test-04-common_checkInstalled-all-installed-yum() { @mocktrue yum list installed - @mock grep wazuh-manager === @echo wazuh-manager.x86_64 4.7.2-1 @wazuh + @mock grep wazuh-manager === @echo wazuh-manager.x86_64 4.7.3-1 @wazuh @mkdir /var/ossec @mock grep wazuh-indexer === @echo wazuh-indexer.x86_64 1.13.2-1 @wazuh @@ -105,7 +105,7 @@ test-04-common_checkInstalled-all-installed-yum() { } test-05-common_checkInstalled-all-installed-yum-assert() { - @echo "wazuh-manager.x86_64 4.7.2-1 @wazuh" + @echo "wazuh-manager.x86_64 4.7.3-1 @wazuh" @echo 1 @echo "wazuh-indexer.x86_64 4.6.0-1 @wazuh" diff --git a/tests/unattended/unit/suites/test-dashboard.sh b/tests/unattended/unit/suites/test-dashboard.sh index d3f53edc98..df2fc46414 100644 --- a/tests/unattended/unit/suites/test-dashboard.sh +++ b/tests/unattended/unit/suites/test-dashboard.sh @@ -6,7 +6,7 @@ source "${base_dir}"/bach.sh @setup-test { @ignore common_logger k_certs_path="/etc/wazuh-dashboard/certs/" - wazuh_version="4.7.2" + wazuh_version="4.7.3" elasticsearch_oss_version="7.10.2" wazuh_kibana_plugin_revision="1" repobaseurl="https://packages.wazuh.com/4.x" @@ -55,7 +55,7 @@ test-03-dashboard_install-yum() { load-dashboard_install sys_type="yum" sep="-" - wazuh_version="4.7.2" + wazuh_version="4.7.3" wazuh_revision="1" dashboard_install } @@ -68,7 +68,7 @@ test-ASSERT-FAIL-04-dashboard_install-yum-error() { load-dashboard_install sys_type="yum" sep="-" - wazuh_version="4.7.2" + wazuh_version="4.7.3" wazuh_revision="1" @mockfalse yum install wazuh-dashboard-1.13.2-1 -y dashboard_install @@ -78,7 +78,7 @@ test-05-dashboard_install-apt() { load-dashboard_install sys_type="apt-get" sep="=" - wazuh_version="4.7.2" + wazuh_version="4.7.3" wazuh_revision="1" dashboard_install } @@ -91,7 +91,7 @@ test-ASSERT-FAIL-06-dashboard_install-apt-error() { load-dashboard_install sys_type="apt-get" sep="=" - wazuh_version="4.7.2" + wazuh_version="4.7.3" wazuh_revision="1" @mockfalse apt install wazuh-dashboard=1.13.2-1 -y dashboard_install diff --git a/tests/unattended/unit/suites/test-indexer.sh b/tests/unattended/unit/suites/test-indexer.sh index 264bc797aa..53882564cb 100644 --- a/tests/unattended/unit/suites/test-indexer.sh +++ b/tests/unattended/unit/suites/test-indexer.sh @@ -49,7 +49,7 @@ test-03-indexer_install-yum() { load-indexer_install sys_type="yum" sep="-" - wazuh_version="4.7.2" + wazuh_version="4.7.3" wazuh_revision="1" indexer_install } @@ -63,7 +63,7 @@ test-ASSERT-FAIL-04-indexer_install-yum-error() { load-indexer_install sys_type="yum" sep="-" - wazuh_version="4.7.2" + wazuh_version="4.7.3" wazuh_revision="1" @mockfalse yum install wazuh-indexer-1.13.2-1 -y indexer_install @@ -73,7 +73,7 @@ test-05-indexer_install-apt() { load-indexer_install sys_type="apt-get" sep="=" - wazuh_version="4.7.2" + wazuh_version="4.7.3" wazuh_revision="1" indexer_install } @@ -87,7 +87,7 @@ test-ASSERT-FAIL-06-indexer_install-apt-error() { load-indexer_install sys_type="apt-get" sep="=" - wazuh_version="4.7.2" + wazuh_version="4.7.3" wazuh_revision="1" @mockfalse apt install wazuh-indexer=1.13.2-1 -y indexer_install diff --git a/unattended_installer/builder.sh b/unattended_installer/builder.sh index 061c77166d..a3dea345a8 100755 --- a/unattended_installer/builder.sh +++ b/unattended_installer/builder.sh @@ -16,7 +16,7 @@ readonly resources_certs="${base_path_builder}/cert_tool" readonly resources_passwords="${base_path_builder}/passwords_tool" readonly resources_common="${base_path_builder}/common_functions" readonly resources_download="${base_path_builder}/downloader" -source_branch="4.7.2" +source_branch="4.7.3" function getHelp() { diff --git a/unattended_installer/install_functions/installVariables.sh b/unattended_installer/install_functions/installVariables.sh index 46b4e80e78..0df8af5ecc 100644 --- a/unattended_installer/install_functions/installVariables.sh +++ b/unattended_installer/install_functions/installVariables.sh @@ -8,7 +8,7 @@ ## Package vars readonly wazuh_major="4.7" -readonly wazuh_version="4.7.2" +readonly wazuh_version="4.7.3" readonly filebeat_version="7.10.2" readonly wazuh_install_vesion="0.1" readonly source_branch="v${wazuh_version}" From e4c96247b6f0855d66adb6968e374065bcf4e4d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 20 Feb 2024 13:14:33 +0100 Subject: [PATCH 11/34] Added wazuh alerts injection to indexer --- unattended_installer/install_functions/indexer.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/unattended_installer/install_functions/indexer.sh b/unattended_installer/install_functions/indexer.sh index da75373163..b71aeba3fd 100644 --- a/unattended_installer/install_functions/indexer.sh +++ b/unattended_installer/install_functions/indexer.sh @@ -203,4 +203,14 @@ function indexer_startCluster() { fi fi + # Wazuh alerts template injection + eval "common_curl --silent ${filebeat_wazuh_template} --max-time 300 --retry 5 --retry-delay 5 ${debug}" | eval "common_curl -X PUT 'https://${indexer_node_ips[pos]}:9200/_template/wazuh' -H 'Content-Type: application/json' -d @- -uadmin:admin -k --silent --max-time 300 --retry 5 --retry-delay 5 ${debug}" + if [ "${PIPESTATUS[0]}" != 0 ]; then + common_logger -e "The wazuh-alerts template could not be inserted into the Wazuh indexer cluster." + exit 1 + else + common_logger -d "Inserted wazuh-alerts template into the Wazuh indexer cluster." + fi + + } From 8e11ec565e08d252a797e4604a570e0a6b5ffd81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 20 Feb 2024 13:16:46 +0100 Subject: [PATCH 12/34] Removed ISM script calls --- .../install_functions/indexer.sh | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/unattended_installer/install_functions/indexer.sh b/unattended_installer/install_functions/indexer.sh index b71aeba3fd..b08dc34414 100644 --- a/unattended_installer/install_functions/indexer.sh +++ b/unattended_installer/install_functions/indexer.sh @@ -129,14 +129,6 @@ function indexer_initialize() { exit 1 else common_logger "Wazuh indexer cluster security configuration initialized." - eval "bash /usr/share/wazuh-indexer/bin/indexer-ism-init.sh ${debug}" - if [ "${PIPESTATUS[0]}" != 0 ]; then - common_logger -w "The Wazuh indexer cluster ISM policy could not be created." - installCommon_rollBack - exit 1 - else - common_logger "The Wazuh indexer cluster ISM initialized." - fi fi fi @@ -193,14 +185,6 @@ function indexer_startCluster() { exit 1 else common_logger "Wazuh indexer cluster security configuration initialized." - eval "bash /usr/share/wazuh-indexer/bin/indexer-ism-init.sh -i ${wazuh_indexer_ip} ${debug}" - if [ "${PIPESTATUS[0]}" != 0 ]; then - common_logger -w "The Wazuh indexer cluster ISM policy could not be created." - installCommon_rollBack - exit 1 - else - common_logger "The Wazuh indexer cluster ISM initialized." - fi fi # Wazuh alerts template injection From 5fd88ea9cffab487ff26fc4a912582f7d9b8d6ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 20 Feb 2024 17:14:47 +0100 Subject: [PATCH 13/34] Updated cluster initialization script in Offline GHA --- .github/actions/offline-installation/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/offline-installation/common.sh b/.github/actions/offline-installation/common.sh index d9b73447c1..3c027a1342 100644 --- a/.github/actions/offline-installation/common.sh +++ b/.github/actions/offline-installation/common.sh @@ -190,7 +190,7 @@ function indexer_initialize() { echo "ERROR: The indexer node is not started." exit 1 fi - /usr/share/wazuh-indexer/bin/indexer-init.sh + /usr/share/wazuh-indexer/bin/indexer-security-init.sh } From b5ab80ae0efd7da8986568100537e29b3e3e3c79 Mon Sep 17 00:00:00 2001 From: Mateo Cervilla Date: Tue, 20 Feb 2024 17:17:19 +0100 Subject: [PATCH 14/34] Move VD template --- rpms/SPECS/wazuh-manager.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rpms/SPECS/wazuh-manager.spec b/rpms/SPECS/wazuh-manager.spec index 5f0a512bb9..43602b1ebe 100644 --- a/rpms/SPECS/wazuh-manager.spec +++ b/rpms/SPECS/wazuh-manager.spec @@ -713,7 +713,8 @@ rm -fr %{buildroot} %attr(640, wazuh, wazuh) %ghost %{_localstatedir}/logs/integrations.log %attr(660, wazuh, wazuh) %ghost %{_localstatedir}/logs/ossec.log %attr(660, wazuh, wazuh) %ghost %{_localstatedir}/logs/ossec.json -%attr(0440, root, wazuh) %{_localstatedir}/queue/indexer/vd_states_template.json +%dir %attr(750, wazuh, wazuh) %{_localstatedir}/templates +%attr(0440, root, wazuh) %{_localstatedir}/templates/vd_states_template.json %dir %attr(750, wazuh, wazuh) %{_localstatedir}/logs/api %dir %attr(750, wazuh, wazuh) %{_localstatedir}/logs/archives %dir %attr(750, wazuh, wazuh) %{_localstatedir}/logs/alerts From f8b7bc924a8beb3fa18979b82914fea4bd6ec77e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 20 Feb 2024 17:30:04 +0100 Subject: [PATCH 15/34] Changed `localhost` to `127.0.0.1` in Offline GHA --- .github/actions/offline-installation/common.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/offline-installation/common.sh b/.github/actions/offline-installation/common.sh index 3c027a1342..5ae15930f3 100644 --- a/.github/actions/offline-installation/common.sh +++ b/.github/actions/offline-installation/common.sh @@ -44,7 +44,7 @@ function check_file() { function check_shards() { retries=0 - until [ "$(curl -s -k -u admin:admin "https://localhost:9200/_template/wazuh?pretty&filter_path=wazuh.settings.index.number_of_shards" | grep "number_of_shards")" ] || [ "${retries}" -eq 5 ]; do + until [ "$(curl -s -k -u admin:admin "https://127.0.0.1:9200/_template/wazuh?pretty&filter_path=wazuh.settings.index.number_of_shards" | grep "number_of_shards")" ] || [ "${retries}" -eq 5 ]; do sleep 5 retries=$((retries+1)) done @@ -53,7 +53,7 @@ function check_shards() { echo "ERROR: Could not get the number of shards." exit 1 fi - curl -s -k -u admin:admin "https://localhost:9200/_template/wazuh?pretty&filter_path=wazuh.settings.index.number_of_shards" + curl -s -k -u admin:admin "https://127.0.0.1:9200/_template/wazuh?pretty&filter_path=wazuh.settings.index.number_of_shards" echo "INFO: Number of shards detected." } @@ -81,7 +81,7 @@ function dashboard_installation() { sleep 10 # In this context, 302 HTTP code refers to SSL certificates warning: success. - if [ "$(curl -k -s -I -w "%{http_code}" https://localhost -o /dev/null --fail)" -ne "302" ]; then + if [ "$(curl -k -s -I -w "%{http_code}" https://127.0.0.1 -o /dev/null --fail)" -ne "302" ]; then echo "ERROR: The Wazuh dashboard installation has failed." exit 1 fi @@ -226,7 +226,7 @@ function indexer_installation() { indexer_initialize sleep 10 - eval "curl -s -XGET https://localhost:9200 -u admin:admin -k --fail" + eval "curl -s -XGET https://127.0.0.1:9200 -u admin:admin -k --fail" if [ "${PIPESTATUS[0]}" != 0 ]; then echo "ERROR: The Wazuh indexer installation has failed." exit 1 From 9810ddd39bb75e0fa060ed1b78152143bec54ee5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 20 Feb 2024 17:43:38 +0100 Subject: [PATCH 16/34] Added retry structure to Dashboard initialization --- .github/actions/offline-installation/common.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/actions/offline-installation/common.sh b/.github/actions/offline-installation/common.sh index 5ae15930f3..58a322629c 100644 --- a/.github/actions/offline-installation/common.sh +++ b/.github/actions/offline-installation/common.sh @@ -79,13 +79,19 @@ function dashboard_installation() { /usr/share/wazuh-dashboard/bin/opensearch-dashboards "-c /etc/wazuh-dashboard/opensearch_dashboards.yml" --allow-root > /dev/null 2>&1 & fi - sleep 10 + retries=0 # In this context, 302 HTTP code refers to SSL certificates warning: success. - if [ "$(curl -k -s -I -w "%{http_code}" https://127.0.0.1 -o /dev/null --fail)" -ne "302" ]; then + until [ "$(curl -k -s -I -w "%{http_code}" https://127.0.0.1 -o /dev/null --fail)" -ne "302" ] || [ "${retries}" -eq 5 ]; then + + sleep 10 + retries=$((retries+1)) + fi + if [ ${retries} -eq 5 ]; then echo "ERROR: The Wazuh dashboard installation has failed." exit 1 + else + echo "INFO: The Wazuh dashboard is ready." fi - echo "INFO: The Wazuh dashboard is ready." } From 0e4e14679ead6c795bfe16b12fa0fc228d9f8e45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 20 Feb 2024 17:51:47 +0100 Subject: [PATCH 17/34] Debugging GHA --- .github/actions/offline-installation/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/offline-installation/common.sh b/.github/actions/offline-installation/common.sh index 58a322629c..8aeb566694 100644 --- a/.github/actions/offline-installation/common.sh +++ b/.github/actions/offline-installation/common.sh @@ -82,7 +82,7 @@ function dashboard_installation() { retries=0 # In this context, 302 HTTP code refers to SSL certificates warning: success. until [ "$(curl -k -s -I -w "%{http_code}" https://127.0.0.1 -o /dev/null --fail)" -ne "302" ] || [ "${retries}" -eq 5 ]; then - + echo "INFO: Sleeping 10 seconds." sleep 10 retries=$((retries+1)) fi From a1def9a0a56a409f5b72afdee6422c2bfb462c8a Mon Sep 17 00:00:00 2001 From: Mateo Cervilla Date: Tue, 20 Feb 2024 18:47:39 +0100 Subject: [PATCH 18/34] Add possibility to build wazuh with same branch name --- .github/workflows/build-rpm-packages.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-rpm-packages.yml b/.github/workflows/build-rpm-packages.yml index 4ec751130f..9bf911c3fc 100644 --- a/.github/workflows/build-rpm-packages.yml +++ b/.github/workflows/build-rpm-packages.yml @@ -10,6 +10,8 @@ on: jobs: Wazuh-agent-rpm-package-build: + env: + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} runs-on: ubuntu-latest strategy: matrix: @@ -68,8 +70,13 @@ jobs: if : steps.changes.outputs.rpm_packages == 'true' || (steps.changes.outputs.rpm_images_agent_i386 == 'true' && matrix.ARCHITECTURE == 'i386') || ((steps.changes.outputs.rpm_images_manager_x86_64 == 'true' || steps.changes.outputs.rpm_images_agent_x86_64 == 'true') && matrix.ARCHITECTURE == 'x86_64') working-directory: ./rpms run: | + if [ "X`git ls-remote --heads https://github.com/wazuh/wazuh.git ${BRANCH_NAME}`" != "X" ]; then + W_BRANCH=${BRANCH_NAME} + else + W_BRANCH=${{ env.VERSION }} + fi REVISION=$( echo ${{ github.head_ref }} | sed 's/-/./g; s/\//./g' ) - bash generate_rpm_package.sh -b ${{ env.VERSION }} -t ${{ matrix.TYPE }} -a ${{ matrix.ARCHITECTURE }} --dev -j 2 --dont-build-docker --tag ${{ env.TAG }} -r $REVISION + bash generate_rpm_package.sh -b ${W_BRANCH} -t ${{ matrix.TYPE }} -a ${{ matrix.ARCHITECTURE }} --dev -j 2 --dont-build-docker --tag ${{ env.TAG }} -r $REVISION echo "PACKAGE_NAME=$(ls ./output | grep .rpm | head -n 1)" >> $GITHUB_ENV - name: Upload Wazuh ${{ matrix.TYPE }} ${{ matrix.ARCHITECTURE }} package as artifact From 58ac81348955be1a07281da8dc1dec094bdbed11 Mon Sep 17 00:00:00 2001 From: Raul Del Pozo Moreno Date: Tue, 20 Feb 2024 21:28:06 +0100 Subject: [PATCH 19/34] Removed ISM changes --- stack/indexer/base/builder.sh | 10 +- stack/indexer/base/generate_base.sh | 19 +- stack/indexer/deb/build_package.sh | 16 +- stack/indexer/deb/debian/rules | 4 - stack/indexer/indexer-init.sh | 138 -------- stack/indexer/indexer-ism-init.sh | 438 ------------------------- stack/indexer/indexer-security-init.sh | 10 +- stack/indexer/rpm/build_package.sh | 16 +- stack/indexer/rpm/wazuh-indexer.spec | 5 - 9 files changed, 11 insertions(+), 645 deletions(-) delete mode 100644 stack/indexer/indexer-init.sh delete mode 100644 stack/indexer/indexer-ism-init.sh diff --git a/stack/indexer/base/builder.sh b/stack/indexer/base/builder.sh index 4186c79ba7..7dad4505fd 100644 --- a/stack/indexer/base/builder.sh +++ b/stack/indexer/base/builder.sh @@ -14,9 +14,8 @@ set -ex architecture="$1" revision="$2" -filebeat_module_reference="$3" -future="$4" -reference="$5" +future="$3" +reference="$4" opensearch_version="2.10.0" base_dir=/opt/wazuh-indexer-base @@ -65,17 +64,12 @@ mkdir -p ./etc/wazuh-indexer/ cp -r ./config/* ./etc/wazuh-indexer/ rm -rf ./config cp -r /root/stack/indexer/base/files/etc/wazuh-indexer/* ./etc/wazuh-indexer/ -curl -so ./etc/wazuh-indexer/wazuh-template.json "https://raw.githubusercontent.com/wazuh/wazuh/${filebeat_module_reference}/extensions/elasticsearch/7.x/wazuh-template.json" cp -r /root/stack/indexer/base/files/etc/sysconfig ./etc/ cp -r /root/stack/indexer/base/files/etc/init.d ./etc/ cp -r /root/stack/indexer/base/files/usr ./ -cp -r /root/stack/indexer/indexer-ism-init.sh bin/ -cp -r /root/stack/indexer/indexer-init.sh bin/ rm -rf ./plugins/opensearch-security/tools/install_demo_configuration.sh cp /root/VERSION . - - # ----------------------------------------------------------------------------- # Compile systemD module diff --git a/stack/indexer/base/generate_base.sh b/stack/indexer/base/generate_base.sh index 78fcf47e51..8124510bbc 100755 --- a/stack/indexer/base/generate_base.sh +++ b/stack/indexer/base/generate_base.sh @@ -18,7 +18,6 @@ container_name="indexer_base_builder" architecture="x64" future="no" revision="1" -filebeat_module_reference="" # ----------------------------------------------------------------------------- @@ -49,11 +48,11 @@ build_base() { # Build the RPM package with a Docker container if [ "${reference}" ];then docker run -t --rm -v ${outdir}/:/tmp/output:Z \ - ${container_name} ${architecture} ${revision} ${filebeat_module_reference} ${future} ${reference} || return 1 + ${container_name} ${architecture} ${revision} ${future} ${reference} || return 1 else docker run -t --rm -v ${outdir}/:/tmp/output:Z \ -v ${current_path}/../../..:/root:Z \ - ${container_name} ${architecture} ${revision} ${filebeat_module_reference} ${future} || return 1 + ${container_name} ${architecture} ${revision} ${future} || return 1 fi echo "Base file $(ls -Art ${outdir} | tail -n 1) added to ${outdir}." @@ -69,7 +68,6 @@ help() { echo echo " -s, --store [Optional] Set the destination path of package. By default, an output folder will be created." echo " --reference [Optional] wazuh-packages branch or tag." - echo " -f, --filebeat-module-reference [Optional] wazuh/wazuh Filebeat template branch or tag." echo " --future [Optional] Build test future package 99.99.0 Used for development purposes." echo " -r, --revision [Optional] Package revision. By default ${revision}" echo " -h, --help Show this help." @@ -102,14 +100,6 @@ main() { help 1 fi ;; - "-f"|"--filebeat-module-reference") - if [ -n "${2}" ]; then - filebeat_module_reference="${2}" - shift 2 - else - help 1 - fi - ;; "--future") future="yes" shift 1 @@ -122,16 +112,11 @@ main() { help 1 fi ;; - *) help 1 esac done - if [ -z "${filebeat_module_reference}" ]; then - filebeat_module_reference=$(cat ${current_path}/../../../VERSION) - fi - build_base || clean 1 clean 0 diff --git a/stack/indexer/deb/build_package.sh b/stack/indexer/deb/build_package.sh index cb08a00680..c8c9eade6f 100755 --- a/stack/indexer/deb/build_package.sh +++ b/stack/indexer/deb/build_package.sh @@ -18,7 +18,6 @@ deb_builder_dockerfile="${current_path}/docker" future="no" base_cmd="" build_base="yes" -filebeat_module_reference="" trap ctrl_c INT @@ -50,7 +49,7 @@ build_deb() { if [ "${reference}" ];then base_cmd+="--reference ${reference}" fi - ../base/generate_base.sh -s ${outdir} -r ${revision} -f ${filebeat_module_reference} ${base_cmd} + ../base/generate_base.sh -s ${outdir} -r ${revision} ${base_cmd} else if [ "${reference}" ];then version=$(curl -sL https://raw.githubusercontent.com/wazuh/wazuh-packages/${reference}/VERSION | cat) @@ -113,7 +112,6 @@ help() { echo " -r, --revision [Optional] Package revision. By default: 1." echo " -s, --store [Optional] Set the destination path of package. By default, an output folder will be created." echo " --reference [Optional] wazuh-packages branch to download SPECs, not used by default." - echo " -f, --filebeat-module-reference [Optional] wazuh/wazuh Filebeat template branch or tag." echo " --dont-build-docker [Optional] Locally built docker image will be used instead of generating a new one." echo " --future [Optional] Build test future package 99.99.0 Used for development purposes." echo " -h, --help Show this help." @@ -161,14 +159,6 @@ main() { help 1 fi ;; - "-f"|"--filebeat-module-reference") - if [ -n "${2}" ]; then - filebeat_module_reference="${2}" - shift 2 - else - help 1 - fi - ;; "--dont-build-docker") build_docker="no" shift 1 @@ -190,10 +180,6 @@ main() { esac done - if [ -z "${filebeat_module_reference}" ]; then - filebeat_module_reference=$(cat ${current_path}/../../../VERSION) - fi - build || clean 1 clean 0 diff --git a/stack/indexer/deb/debian/rules b/stack/indexer/deb/debian/rules index d53495b003..c05e796ec3 100644 --- a/stack/indexer/deb/debian/rules +++ b/stack/indexer/deb/debian/rules @@ -100,7 +100,6 @@ override_dh_install: cp /root/documentation-templates/wazuh/config.yml $(TARGET_DIR)$(INSTALLATION_DIR)/plugins/opensearch-security/tools/config.yml # Copy Wazuh's config files for the security plugin - cp -pr $(REPO_DIR)/config/indexer/roles/action_groups.yml $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/ cp -pr $(REPO_DIR)/config/indexer/roles/roles_mapping.yml $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/ cp -pr $(REPO_DIR)/config/indexer/roles/roles.yml $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/ cp -pr $(REPO_DIR)/config/indexer/roles/internal_users.yml $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/ @@ -153,15 +152,12 @@ override_dh_fixperms: chmod 660 $(TARGET_DIR)$(CONFIG_DIR)/jvm.options chmod 750 $(TARGET_DIR)$(INSTALLATION_DIR)/modules/aggs-matrix-stats chmod 660 $(TARGET_DIR)$(CONFIG_DIR)/opensearch.yml - chmod 660 $(TARGET_DIR)$(CONFIG_DIR)/wazuh-template.json chmod 640 $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/roles_mapping.yml chmod 640 $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/internal_users.yml chmod 640 $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/roles.yml chmod 750 $(TARGET_DIR)$(CONFIG_DIR)/jvm.options.d chmod 440 $(TARGET_DIR)$(INSTALLATION_DIR)/VERSION chmod 750 $(TARGET_DIR)$(INSTALLATION_DIR)/bin/indexer-security-init.sh - chmod 750 $(TARGET_DIR)$(INSTALLATION_DIR)/bin/indexer-ism-init.sh - chmod 750 $(TARGET_DIR)$(INSTALLATION_DIR)/bin/indexer-init.sh chmod 750 $(TARGET_DIR)$(INSTALLATION_DIR)/bin/systemd-entrypoint chmod 740 $(TARGET_DIR)$(INSTALLATION_DIR)/plugins/opensearch-security/tools/audit_config_migrater.sh chmod 740 $(TARGET_DIR)$(INSTALLATION_DIR)/plugins/opensearch-security/tools/hash.sh diff --git a/stack/indexer/indexer-init.sh b/stack/indexer/indexer-init.sh deleted file mode 100644 index 80882e290e..0000000000 --- a/stack/indexer/indexer-init.sh +++ /dev/null @@ -1,138 +0,0 @@ -#!/bin/bash -# Wazuh Copyright (C) 2023 Wazuh Inc. (License GPLv2) -# Wazuh - indexer initialization script - -INSTALL_PATH="/usr/share/wazuh-indexer" -BIN_PATH="${INSTALL_PATH}/bin" - - -######################################################################### -# Parse arguments for security init script. -######################################################################### -function parse_security_args() { - security_args=() - - while [ -n "$1" ]; do - case "$1" in - "-h" | "--help") - security_args+=("${1}") - shift - ;; - "-ho" | "--host") - if [ -n "$2" ]; then - security_args+=("${1}" "${2}") - shift 2 - fi - ;; - "--port") - if [ -n "$2" ]; then - security_args+=("${1}" "${2}") - shift 2 - fi - ;; - "--options") - if [ -n "$2" ]; then - security_args+=("${1}" "${2}") - shift 2 - fi - ;; - *) - shift - ;; - esac - done -} - - -######################################################################### -# Run the security init script. -######################################################################### -function run_security_init() { - echo "Executing Wazuh indexer security init script..." - parse_security_args "$@" - /bin/bash "${BIN_PATH}/indexer-security-init.sh" "${security_args[@]}" -} - - -######################################################################### -# Parse arguments for ISM init script. -######################################################################### -function parse_ism_args() { - ism_args=() - - while [ -n "${1}" ]; do - case "${1}" in - "-a" | "--min-index-age") - if [ -n "${2}" ]; then - ism_args+=("${1}" "${2}") - shift 2 - fi - ;; - "-d" | "--min-doc-count") - if [ -n "${2}" ]; then - ism_args+=("${1}" "${2}") - shift 2 - fi - ;; - "-h" | "--help") - ism_args+=("${1}") - shift - ;; - "-i" | "--indexer-hostname") - if [ -n "${2}" ]; then - ism_args+=("${1}" "${2}") - shift 2 - fi - ;; - "-p" | "--indexer-password") - if [ -n "${2}" ]; then - ism_args+=("${1}" "${2}") - shift 2 - fi - ;; - "-s" | "--min-shard-size") - if [ -n "${2}" ]; then - ism_args+=("${1}" "${2}") - shift 2 - fi - ;; - "-P" | "--priority") - if [ -n "${2}" ]; then - ism_args+=("${1}" "${2}") - shift 2 - fi - ;; - "-v" | "--verbose") - ism_args+=("${1}") - shift - ;; - *) - shift - ;; - esac - done -} - - -######################################################################### -# Run the ISM init script. -######################################################################### -function run_ism_init() { - echo "Executing Wazuh indexer ISM init script..." - parse_ism_args "$@" - /bin/bash "${BIN_PATH}/indexer-ism-init.sh" "${ism_args[@]}"; -} - - -######################################################################### -# Main function. -######################################################################### -function main() { - # If run_security_init returns 0, then run_ism_init - if run_security_init "$@" -gt 0; then - run_ism_init "$@" - fi -} - - -main "$@" diff --git a/stack/indexer/indexer-ism-init.sh b/stack/indexer/indexer-ism-init.sh deleted file mode 100644 index 3e9e4a3f27..0000000000 --- a/stack/indexer/indexer-ism-init.sh +++ /dev/null @@ -1,438 +0,0 @@ -#!/bin/bash -# Wazuh Copyright (C) 2023 Wazuh Inc. (License GPLv2) -# Wazuh - Indexer set rollover policy and templates - -# Policy settings -MIN_SHARD_SIZE="25" -MIN_INDEX_AGE="7d" -MIN_DOC_COUNT="600000000" -ISM_INDEX_PATTERNS='["wazuh-alerts-*", "wazuh-archives-*", "-wazuh-alerts-4.x-sample*"]' -ISM_PRIORITY="50" -INDEXER_PASSWORD="admin" -INDEXER_HOSTNAME="localhost" - -POLICY_NAME="rollover_policy" -LOG_FILE="/tmp/wazuh-indexer/ism-init.log" - -INDEXER_URL="https://${INDEXER_HOSTNAME}:9200" - -# curl settings shortcuts -C_AUTH="-u admin:${INDEXER_PASSWORD}" - -ALERTS_TEMPLATE="/etc/wazuh-indexer/wazuh-template.json" - -######################################################################### -# Creates the rollover_policy ISM policy. -# Globals: -# MIN_SHARD_SIZE: The minimum shard size in GB. -# MIN_INDEX_AGE: The minimum index age. -# MIN_DOC_COUNT: The minimum document count. -# ISM_INDEX_PATTERNS: The index patterns to apply the policy. -# ISM_PRIORITY: The policy priority. -# Arguments: -# None. -# Returns: -# The rollover policy as a JSON string -######################################################################### -function generate_rollover_policy() { - cat <<-EOF - { - "policy": { - "description": "Wazuh rollover and alias policy", - "default_state": "active", - "states": [ - { - "name": "active", - "actions": [ - { - "rollover": { - "min_primary_shard_size": "${MIN_SHARD_SIZE}gb", - "min_index_age": "${MIN_INDEX_AGE}", - "min_doc_count": "${MIN_DOC_COUNT}" - } - } - ] - } - ], - "ism_template": { - "index_patterns": ${ISM_INDEX_PATTERNS}, - "priority": "${ISM_PRIORITY}" - } - } - } - EOF -} - -######################################################################### -# Creates an index template with order 3 to set the rollover alias. -# Arguments: -# - The alias name, a string. Also used as index pattern. -# Returns: -# The index template as a JSON string. -######################################################################### -function generate_rollover_template() { - cat <<-EOF - { - "order": 3, - "index_patterns": ["${1}-*"], - "settings": { - "index.plugins.index_state_management.rollover_alias": "${1}" - } - } - EOF -} - -######################################################################### -# Creates an index template to disable replicas on ISM configurastion indices. -# Returns: -# The index template as a JSON string. -######################################################################### -function generate_ism_config_template() { - cat <<-EOF - { - "order": 1, - "index_patterns": [ - ".opendistro-ism-managed-index-history-*", - ".opendistro-ism-config", - ".opendistro-job-scheduler-lock" - ], - "settings": { - "number_of_replicas": 0 - } - } - EOF -} - -######################################################################### -# Creates persistent cluster's settings to disable replicas for ISM history. -# Returns: -# The setting as a JSON string. -######################################################################### -function generate_ism_config() { - cat <<-EOF - { - "persistent": { - "plugins": { - "index_state_management": { - "history": { - "number_of_replicas": "0" - } - } - } - } - } - EOF -} - -######################################################################### -# Loads the index templates for the rollover policy to the indexer. -######################################################################### -function load_templates() { - # Load wazuh-template.json, needed for initial indices creation. - echo "Will create 'wazuh' index template" - if [ -f "${ALERTS_TEMPLATE}" ]; then - cat "${ALERTS_TEMPLATE}" | - if ! curl -s -k ${C_AUTH} \ - -X PUT "${INDEXER_URL}/_template/wazuh" \ - -o "${LOG_FILE}" --create-dirs \ - -H 'Content-Type: application/json' -d @-; then - echo " ERROR: 'wazuh' template creation failed" - return 1 - else - echo " SUCC: 'wazuh' template created or updated" - fi - else - echo " ERROR: ${ALERTS_TEMPLATE} not found" - fi - - # Load template for ISM configuration indices - echo "Will create 'ism_history_indices' index template" - generate_ism_config_template | - if ! curl -s -k ${C_AUTH} \ - -X PUT "${INDEXER_URL}/_template/ism_history_indices" \ - -o "${LOG_FILE}" --create-dirs \ - -H 'Content-Type: application/json' -d @-; then - echo " ERROR: 'ism_history_indices' template creation failed" - return 1 - else - echo " SUCC: 'ism_history_indices' template created or updated" - fi - - # Make settings persistent - echo "Will disable replicas for 'plugins.index_state_management.history' indices" - generate_ism_config | - if ! curl -s -k ${C_AUTH} \ - -X PUT "${INDEXER_URL}/_cluster/settings" \ - -o "${LOG_FILE}" --create-dirs \ - -H 'Content-Type: application/json' -d @-; then - echo " ERROR: cluster's settings update failed" - return 1 - else - echo " SUCC: cluster's settings saved" - fi - - echo "Will create index templates to configure the alias" - for alias in "${aliases[@]}"; do - generate_rollover_template "${alias}" | - if ! curl -s -k ${C_AUTH} \ - -X PUT "${INDEXER_URL}/_template/${alias}-rollover" \ - -o "${LOG_FILE}" --create-dirs \ - -H 'Content-Type: application/json' -d @-; then - echo " ERROR: '${alias}' template creation failed" - return 1 - else - echo " SUCC: '${alias}' template created or updated" - fi - done -} - -######################################################################### -# Uploads the rollover policy. -# If the policy does not exist, the policy "${POLICY_NAME}" is created. -# If the policy exists, but the rollover conditions are different, the -# policy is updated. -# Arguments: -# None. -######################################################################### -function upload_rollover_policy() { - echo "Will create the '${POLICY_NAME}' policy" - policy_exists=$( - curl -s -k ${C_AUTH} \ - -X GET "${INDEXER_URL}/_plugins/_ism/policies/${POLICY_NAME}" \ - -o "${LOG_FILE}" --create-dirs \ - -w "%{http_code}" - ) - - # Check if the ${POLICY_NAME} ISM policy was loaded (404 error if not found) - if [[ "${policy_exists}" == "404" ]]; then - policy_uploaded=$( - curl -s -k ${C_AUTH} \ - -X PUT "${INDEXER_URL}/_plugins/_ism/policies/${POLICY_NAME}" \ - -o "${LOG_FILE}" --create-dirs \ - -H 'Content-Type: application/json' \ - -d "$(generate_rollover_policy)" \ - -w "%{http_code}" - ) - - if [[ "${policy_uploaded}" == "201" ]]; then - echo " SUCC: '${POLICY_NAME}' policy created" - else - echo " ERROR: '${POLICY_NAME}' policy not created => ${policy_uploaded}" - return 1 - fi - else - if [[ "${policy_exists}" == "200" ]]; then - echo " INFO: policy '${POLICY_NAME}' already exists. Skipping policy creation" - else - echo " ERROR: could not check if the policy '${POLICY_NAME}' exists => ${policy_exists}" - return 1 - fi - fi -} - -######################################################################### -# Check if an alias exists in the indexer. -# Arguments: -# 1. The alias to look for. String. -######################################################################### -function check_for_write_index() { - curl -s -k ${C_AUTH} "${INDEXER_URL}/_cat/aliases" | - grep -i "${1}" | - grep -i true | - awk '{print $2}' -} - -######################################################################### -# Creates the settings for the aliased write index. -# Arguments: -# 1. The alias. String. -######################################################################### -function generate_write_index_alias() { - cat <<-EOF - { - "aliases": { - "$1": { - "is_write_index": true - } - } - } - EOF -} - -######################################################################### -# Creates the initial aliased write index. -# Arguments: -# 1. The alias. String. -######################################################################### -function create_write_index() { - if ! curl -s -k ${C_AUTH} -o "${LOG_FILE}" --create-dirs \ - -X PUT "$INDEXER_URL/%3C${1}-4.x-%7Bnow%2Fd%7D-000001%3E" \ - -H 'Content-Type: application/json' \ - -d "$(generate_write_index_alias "${1}")"; then - echo " ERROR: creating '${1}' write index" - return 1 - else - echo " SUCC: '${1}' write index created" - fi -} - -######################################################################### -# Creates the write indices for the aliases given as parameter. -# Arguments: -# 1. List of aliases to initialize. -######################################################################### -function create_indices() { - echo "Will create initial indices for the aliases" - for alias in "${aliases[@]}"; do - # Check if there are any write indices for the current alias - write_index_exists=$(check_for_write_index "${alias}") - - # Create the write index if it does not exist - if [[ -z $write_index_exists ]]; then - create_write_index "${alias}" - else - echo " INFO: '${alias}' write index already exists. Skipping write index creation" - fi - done -} - -######################################################################### -# Shows usage help. -######################################################################### -function show_help() { - echo -e "" - echo -e "NAME" - echo -e " indexer-ism-init.sh - Manages the Index State Management plugin for Wazuh indexer index rollovers policies." - echo -e "" - echo -e "SYNOPSIS" - echo -e " indexer-ism-init.sh [OPTIONS]" - echo -e "" - echo -e "DESCRIPTION" - echo -e " -a, --min-index-age " - echo -e " Set the minimum index age. By default 7d." - echo -e "" - echo -e " -d, --min-doc-count " - echo -e " Set the minimum document count. By default 200000000." - echo -e "" - echo -e " -h, --help" - echo -e " Shows help." - echo -e "" - echo -e " -i, --indexer-hostname " - echo -e " Specifies the Wazuh indexer hostname or IP." - echo -e "" - echo -e " -p, --indexer-password " - echo -e " Specifies the Wazuh indexer admin user password." - echo -e "" - echo -e " -P, --priority " - echo -e " Specifies the policy's priority." - echo -e "" - echo -e " -s, --min-shard-size " - echo -e " Set the minimum shard size in GB. By default 25." - echo -e "" - echo -e " -v, --verbose" - echo -e " Set verbose mode. Prints more information." - echo -e "" - return 1 -} - -######################################################################### -# Main function. -######################################################################### -function main() { - # The list should contain every alias which indices implement the - # rollover policy - aliases=("wazuh-alerts" "wazuh-archives") - - while [ -n "${1}" ]; do - case "${1}" in - "-a" | "--min-index-age") - if [ -z "${2}" ]; then - echo "Error on arguments. Probably missing after -a|--min-index-age" - show_help - else - MIN_INDEX_AGE="${2}" - shift 2 - fi - ;; - "-d" | "--min-doc-count") - if [ -z "${2}" ]; then - echo "Error on arguments. Probably missing after -d|--min-doc-count" - show_help - else - MIN_DOC_COUNT="${2}" - shift 2 - fi - ;; - "-h" | "--help") - show_help - ;; - "-i" | "--indexer-hostname") - if [ -z "${2}" ]; then - echo "Error on arguments. Probably missing after -i|--indexer-hostname" - show_help - else - INDEXER_HOSTNAME="${2}" - INDEXER_URL="https://${INDEXER_HOSTNAME}:9200" - shift 2 - fi - ;; - "-p" | "--indexer-password") - if [ -z "${2}" ]; then - echo "Error on arguments. Probably missing after -p|--indexer-password" - show_help - else - INDEXER_PASSWORD="${2}" - C_AUTH="-u admin:${INDEXER_PASSWORD}" - shift 2 - fi - ;; - "-s" | "--min-shard-size") - if [ -z "${2}" ]; then - echo "Error on arguments. Probably missing after -s|--min-shard-size" - show_help - else - MIN_SHARD_SIZE="${2}" - shift 2 - fi - ;; - "-P" | "--priority") - if [ -z "${2}" ]; then - echo "Error on arguments. Probably missing after -P|--priority" - show_help - else - ISM_PRIORITY="${2}" - shift 2 - fi - ;; - "-t" | "--template") - if [ -z "${2}" ]; then - echo "Error on arguments. Probably missing