From 742a948715dbd36663b7dfff93980bfda2b59d1a Mon Sep 17 00:00:00 2001 From: Victor Carlos Erenu Date: Wed, 5 Nov 2025 22:08:36 +0700 Subject: [PATCH 1/6] Delete config files and adapt dockerfiles --- .../wazuh-dashboard/Dockerfile | 34 ++-- .../wazuh-dashboard/config/config.sh | 73 ++++++-- .../wazuh-dashboard/config/config.yml | 5 - .../wazuh-dashboard/config/wazuh.yml | 155 ---------------- .../config/wazuh_app_config.sh | 8 - build-docker-images/wazuh-indexer/Dockerfile | 53 +++--- .../wazuh-indexer/config/action_groups.yml | 12 -- .../wazuh-indexer/config/config.sh | 133 +++++++------- .../wazuh-indexer/config/config.yml | 5 - .../wazuh-indexer/config/internal_users.yml | 74 -------- .../wazuh-indexer/config/opensearch.yml | 26 --- .../wazuh-indexer/config/roles.yml | 171 ------------------ .../wazuh-indexer/config/roles_mapping.yml | 78 -------- .../wazuh-manager/config/filebeat.yml | 31 ---- 14 files changed, 154 insertions(+), 704 deletions(-) delete mode 100644 build-docker-images/wazuh-dashboard/config/config.yml delete mode 100644 build-docker-images/wazuh-dashboard/config/wazuh.yml delete mode 100644 build-docker-images/wazuh-indexer/config/action_groups.yml delete mode 100644 build-docker-images/wazuh-indexer/config/config.yml delete mode 100644 build-docker-images/wazuh-indexer/config/internal_users.yml delete mode 100644 build-docker-images/wazuh-indexer/config/opensearch.yml delete mode 100644 build-docker-images/wazuh-indexer/config/roles.yml delete mode 100644 build-docker-images/wazuh-indexer/config/roles_mapping.yml delete mode 100644 build-docker-images/wazuh-manager/config/filebeat.yml diff --git a/build-docker-images/wazuh-dashboard/Dockerfile b/build-docker-images/wazuh-dashboard/Dockerfile index aef330c9..c02123d6 100644 --- a/build-docker-images/wazuh-dashboard/Dockerfile +++ b/build-docker-images/wazuh-dashboard/Dockerfile @@ -21,13 +21,11 @@ RUN URL_VAR="wazuh_dashboard_url_${TARGETARCH}_rpm" && \ RUN mkdir -p $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs -COPY config/wazuh.yml $INSTALL_DIR/data/wazuh/config/ RUN setcap 'cap_net_bind_service=-ep' /usr/share/wazuh-dashboard/node/bin/node RUN setcap 'cap_net_bind_service=-ep' /usr/share/wazuh-dashboard/node/fallback/bin/node # Generate certificates COPY config/config.sh . -COPY config/config.yml / RUN bash config.sh ################################################################################ @@ -58,34 +56,32 @@ ENV USER="wazuh-dashboard" \ WAZUH_MONITORING_SHARDS="" \ WAZUH_MONITORING_REPLICAS="" -# Update and install dependencies -RUN dnf install shadow-utils -y && dnf clean all +# Copy and set permissions to scripts +COPY config/entrypoint.sh / +COPY config/wazuh_app_config.sh / -# Create wazuh-dashboard user and group -RUN getent group $GROUP || groupadd -r -g 1000 $GROUP -RUN useradd --system \ +# Update and install dependencies +RUN yum install shadow-utils -y && \ + yum clean all && \ + getent group $GROUP || groupadd -r -g 1000 $GROUP && \ + useradd --system \ --uid 1000 \ --no-create-home \ --home-dir $INSTALL_DIR \ --gid $GROUP \ --shell /sbin/nologin \ --comment "$USER user" \ - $USER - -# Copy and set permissions to scripts -COPY config/entrypoint.sh / -COPY config/wazuh_app_config.sh / -RUN chmod 700 /entrypoint.sh -RUN chmod 700 /wazuh_app_config.sh -RUN chown 1000:1000 /*.sh + $USER && \ + chmod 700 /entrypoint.sh && \ + chmod 700 /wazuh_app_config.sh && \ + mkdir -p $INSTALL_DIR && \ + chown 1000:1000 $INSTALL_DIR && \ + chown 1000:1000 /*.sh && \ + mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom # Copy Install dir from builder to current image COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR -# Create custom directory -RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom -RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom - # Set workdir and user WORKDIR $INSTALL_DIR USER wazuh-dashboard diff --git a/build-docker-images/wazuh-dashboard/config/config.sh b/build-docker-images/wazuh-dashboard/config/config.sh index b2cbfea4..36011034 100644 --- a/build-docker-images/wazuh-dashboard/config/config.sh +++ b/build-docker-images/wazuh-dashboard/config/config.sh @@ -9,34 +9,71 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config ## Variables CERT_TOOL=wazuh-certs-tool.sh -PACKAGES_URL=https://packages.wazuh.com/5.0/ -PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/ +CERT_CONFIG_FILE=config.yml +CERT_TOOL_VERSION="${WAZUH_VERSION%.*}" +PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/ +PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/ -## Check if the cert tool exists in S3 buckets -CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}') -CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}') +download_package() { + local url=$1 + local package=$2 + local output=$2 + echo "Checking $url$package ..." + if curl -fsL "$url$package" -o "$output"; then + echo "Downloaded $package from $url" + return 0 + else + return 1 + fi +} -## If cert tool exists in some bucket, download it, if not exit 1 -if [ "$CERT_TOOL_PACKAGES" = "200" ]; then - curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL - echo "Cert tool exists in Packages bucket" -elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then - curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL - echo "Cert tool exists in Packages-dev bucket" +# Download the tool to create the certificates +echo "Downloading the tool to create the certificates..." +# Try first the prod URL, if it fails try the dev URL +if download_package "$PACKAGES_URL" "$CERT_TOOL"; then + : +elif download_package "$PACKAGES_DEV_URL" "$CERT_TOOL"; then + : else - echo "Cert tool does not exist in any bucket" - exit 1 + echo "The tool to create the certificates does not exist in any bucket" + echo "ERROR: certificates were not created" + exit 1 fi -chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A +# Download the config file for the certificate tool +echo "Downloading the config file for the certificate tool..." +# Try first the prod URL, if it fails try the dev URL +if download_package "$PACKAGES_URL" "$CERT_CONFIG_FILE"; then + : +elif download_package "$PACKAGES_DEV_URL" "$CERT_CONFIG_FILE"; then + : +else + echo "The config file for the certificate tool does not exist in any bucket" + echo "ERROR: certificates were not created" + exit 1 +fi + +# Modify the config file to set the IP to localhost +sed -i 's/ ip:.*/ ip: "127.0.0.1"/' $CERT_CONFIG_FILE + +chmod 700 "$CERT_CONFIG_FILE" +# Create the certificates +chmod 755 "$CERT_TOOL" && bash "$CERT_TOOL" -A # Create certs directory mkdir -p ${CONFIG_DIR}/certs # Copy Wazuh dashboard certs to install config dir -cp /wazuh-certificates/demo.dashboard.pem ${CONFIG_DIR}/certs/dashboard.pem -cp /wazuh-certificates/demo.dashboard-key.pem ${CONFIG_DIR}/certs/dashboard-key.pem -cp /wazuh-certificates/root-ca.pem ${CONFIG_DIR}/certs/root-ca.pem +mv /etc/wazuh-dashboard/* ${CONFIG_DIR}/ +cp -pr /wazuh-certificates/dashboard.pem ${CONFIG_DIR}/certs/dashboard.pem +cp -pr /wazuh-certificates/dashboard-key.pem ${CONFIG_DIR}/certs/dashboard-key.pem +cp -pr /wazuh-certificates/root-ca.key ${CONFIG_DIR}/certs/root-ca.key +cp -pr /wazuh-certificates/root-ca.pem ${CONFIG_DIR}/certs/root-ca.pem +cp -pr /wazuh-certificates/admin.pem ${CONFIG_DIR}/certs/admin.pem +cp -pr /wazuh-certificates/admin-key.pem ${CONFIG_DIR}/certs/admin-key.pem + +# Modify opensearch.yml config paths +sed -i "s|/etc/wazuh-dashboard|${CONFIG_DIR}|g" ${CONFIG_DIR}/opensearch_dashboards.yml chmod -R 500 ${CONFIG_DIR}/certs chmod -R 400 ${CONFIG_DIR}/certs/* \ No newline at end of file diff --git a/build-docker-images/wazuh-dashboard/config/config.yml b/build-docker-images/wazuh-dashboard/config/config.yml deleted file mode 100644 index 24764d54..00000000 --- a/build-docker-images/wazuh-dashboard/config/config.yml +++ /dev/null @@ -1,5 +0,0 @@ -nodes: - # Wazuh dashboard server nodes - dashboard: - - name: demo.dashboard - ip: demo.dashboard \ No newline at end of file diff --git a/build-docker-images/wazuh-dashboard/config/wazuh.yml b/build-docker-images/wazuh-dashboard/config/wazuh.yml deleted file mode 100644 index 8e5f9447..00000000 --- a/build-docker-images/wazuh-dashboard/config/wazuh.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -# -# Wazuh app - App configuration file -# Copyright (C) 2017, Wazuh Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Find more information about this on the LICENSE file. -# -# ======================== Wazuh app configuration file ======================== -# -# Please check the documentation for more information on configuration options: -# https://documentation.wazuh.com/current/installation-guide/index.html -# -# Also, you can check our repository: -# https://github.com/wazuh/wazuh-dashboard-plugins -# -# ------------------------------- Index patterns ------------------------------- -# -# Default index pattern to use. -#pattern: wazuh-alerts-* -# -# ----------------------------------- Checks ----------------------------------- -# -# Defines which checks must to be consider by the healthcheck -# step once the Wazuh app starts. Values must to be true or false. -#checks.pattern : true -#checks.template: true -#checks.api : true -#checks.setup : true -#checks.metaFields: true -# -# --------------------------------- Extensions --------------------------------- -# -# Defines which extensions should be activated when you add a new API entry. -# You can change them after Wazuh app starts. -# Values must to be true or false. -#extensions.pci : true -#extensions.gdpr : true -#extensions.hipaa : true -#extensions.nist : true -#extensions.tsc : true -#extensions.audit : true -#extensions.oscap : false -#extensions.ciscat : false -#extensions.aws : false -#extensions.gcp : false -#extensions.virustotal: false -#extensions.osquery : false -#extensions.docker : false -# -# ---------------------------------- Time out ---------------------------------- -# -# Defines maximum timeout to be used on the Wazuh app requests. -# It will be ignored if it is bellow 1500. -# It means milliseconds before we consider a request as failed. -# Default: 20000 -#timeout: 20000 -# -# -------------------------------- API selector -------------------------------- -# -# Defines if the user is allowed to change the selected -# API directly from the Wazuh app top menu. -# Default: true -#api.selector: true -# -# --------------------------- Index pattern selector --------------------------- -# -# Defines if the user is allowed to change the selected -# index pattern directly from the Wazuh app top menu. -# Default: true -#ip.selector: true -# -# List of index patterns to be ignored -#ip.ignore: [] -# -# ------------------------------ wazuh-monitoring ------------------------------ -# -# Custom setting to enable/disable wazuh-monitoring indices. -# Values: true, false, worker -# If worker is given as value, the app will show the Agents status -# visualization but won't insert data on wazuh-monitoring indices. -# Default: true -#wazuh.monitoring.enabled: true -# -# Custom setting to set the frequency for wazuh-monitoring indices cron task. -# Default: 900 (s) -#wazuh.monitoring.frequency: 900 -# -# Configure wazuh-monitoring-* indices shards and replicas. -#wazuh.monitoring.shards: 2 -#wazuh.monitoring.replicas: 0 -# -# Configure wazuh-monitoring-* indices custom creation interval. -# Values: h (hourly), d (daily), w (weekly), m (monthly) -# Default: d -#wazuh.monitoring.creation: d -# -# Default index pattern to use for Wazuh monitoring -#wazuh.monitoring.pattern: wazuh-monitoring-* -# -# --------------------------------- wazuh-cron ---------------------------------- -# -# Customize the index prefix of predefined jobs -# This change is not retroactive, if you change it new indexes will be created -# cron.prefix: test -# -# ------------------------------ wazuh-statistics ------------------------------- -# -# Custom setting to enable/disable statistics tasks. -#cron.statistics.status: true -# -# Enter the ID of the APIs you want to save data from, leave this empty to run -# the task on all configured APIs -#cron.statistics.apis: [] -# -# Define the frequency of task execution using cron schedule expressions -#cron.statistics.interval: 0 0 * * * * -# -# Define the name of the index in which the documents are to be saved. -#cron.statistics.index.name: statistics -# -# Define the interval in which the index will be created -#cron.statistics.index.creation: w -# -# ------------------------------- App privileges -------------------------------- -#admin: true -# -# ---------------------------- Hide manager alerts ------------------------------ -# Hide the alerts of the manager in all dashboards and discover -#hideManagerAlerts: false -# -# ------------------------------- App logging level ----------------------------- -# Set the logging level for the Wazuh App log files. -# Default value: info -# Allowed values: info, debug -#logs.level: info -# -# -------------------------------- Enrollment DNS ------------------------------- -# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment. -# Default value: '' -#enrollment.dns: '' -# -#-------------------------------- API entries ----------------------------------- -#The following configuration is the default structure to define an API entry. -# -#hosts: -# - : -# url: http(s):// -# port: -# username: -# password: diff --git a/build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh b/build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh index 76ecdc7f..e98a8b46 100644 --- a/build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh +++ b/build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh @@ -32,11 +32,6 @@ do fi done - -grep -q 1513629884013 $dashboard_config_file -_config_exists=$? - -if [[ $_config_exists -ne 0 ]]; then cat << EOF >> $dashboard_config_file hosts: - 1513629884013: @@ -46,7 +41,4 @@ hosts: password: $api_password run_as: $api_run_as EOF -else - echo "Wazuh APP already configured" -fi diff --git a/build-docker-images/wazuh-indexer/Dockerfile b/build-docker-images/wazuh-indexer/Dockerfile index ed250a4d..3772bd10 100644 --- a/build-docker-images/wazuh-indexer/Dockerfile +++ b/build-docker-images/wazuh-indexer/Dockerfile @@ -22,7 +22,6 @@ RUN URL_VAR="wazuh_indexer_url_${TARGETARCH}_rpm" && \ # # Copy wazuh-indexer from stage 0 # Add entrypoint - ################################################################################ FROM amazonlinux:2023 @@ -31,47 +30,39 @@ ENV USER="wazuh-indexer" \ NAME="wazuh-indexer" \ INSTALL_DIR="/usr/share/wazuh-indexer" -RUN yum install curl-minimal shadow-utils findutils hostname -y -RUN getent group $GROUP || groupadd -r -g 1000 $GROUP +COPY config/entrypoint.sh / +COPY config/securityadmin.sh / -RUN useradd --system \ +RUN yum install curl-minimal shadow-utils findutils hostname -y && \ + yum clean all && \ + getent group $GROUP || groupadd -r -g 1000 $GROUP && \ + useradd --system \ --uid 1000 \ --no-create-home \ --home-dir $INSTALL_DIR \ --gid $GROUP \ --shell /sbin/nologin \ --comment "$USER user" \ - $USER - -WORKDIR $INSTALL_DIR - -COPY config/entrypoint.sh / - -COPY config/securityadmin.sh / - -RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh && \ - mkdir -p /usr/share/wazuh-indexer && \ - chown 1000:1000 /usr/share/wazuh-indexer && \ - chown 1000:1000 /*.sh - -COPY --from=builder --chown=1000:1000 /usr/share/wazuh-indexer /usr/share/wazuh-indexer -COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer/config -COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer -COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd -COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d -COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d - -RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \ - mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \ + $USER && \ + chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh && \ + mkdir -p $INSTALL_DIR && \ + chown 1000:1000 $INSTALL_DIR && \ + chown 1000:1000 /*.sh && \ + mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \ + mkdir -p $INSTALL_DIR/logs && chown 1000:1000 $INSTALL_DIR/logs && \ mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \ - mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \ - chmod 700 /usr/share/wazuh-indexer && \ - chmod 700 /usr/share/wazuh-indexer/config && \ - chmod 600 /usr/share/wazuh-indexer/config/jvm.options && \ - chmod 600 /usr/share/wazuh-indexer/config/opensearch.yml + mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer + +COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR + +RUN chmod 700 $INSTALL_DIR && \ + chmod 700 $INSTALL_DIR/config && \ + chmod 600 $INSTALL_DIR/config/jvm.options && \ + chmod 600 $INSTALL_DIR/config/opensearch.yml USER wazuh-indexer +WORKDIR $INSTALL_DIR # Services ports EXPOSE 9200 diff --git a/build-docker-images/wazuh-indexer/config/action_groups.yml b/build-docker-images/wazuh-indexer/config/action_groups.yml deleted file mode 100644 index 04119c8a..00000000 --- a/build-docker-images/wazuh-indexer/config/action_groups.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -_meta: - type: "actiongroups" - config_version: 2 - -# ISM API permissions group -manage_ism: - reserved: true - hidden: false - allowed_actions: - - "cluster:admin/opendistro/ism/*" - static: false \ No newline at end of file diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 8e90485e..f1b11890 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -3,7 +3,6 @@ export DH_OPTIONS export NAME=wazuh-indexer -export TARGET_DIR=${CURDIR}/debian/${NAME} # Package build options export USER=${NAME} @@ -14,89 +13,81 @@ export LIB_DIR=/var/lib/${NAME} export PID_DIR=/run/${NAME} export INSTALLATION_DIR=/usr/share/${NAME} export CONFIG_DIR=${INSTALLATION_DIR}/config -export BASE_DIR=${NAME}-* -export INDEXER_FILE=wazuh-indexer-base.tar.xz -export BASE_FILE=wazuh-indexer-base-${VERSION}-linux-x64.tar.xz -export REPO_DIR=/unattended_installer + + +############################################################################## +# Downloading Cert Gen Tool +############################################################################## ## Variables CERT_TOOL=wazuh-certs-tool.sh -PASSWORD_TOOL=wazuh-passwords-tool.sh -PACKAGES_URL=https://packages.wazuh.com/5.0/ -PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/ +CERT_CONFIG_FILE=config.yml +CERT_TOOL_VERSION="${WAZUH_VERSION%.*}" +PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/ +PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/ -## Check if the cert tool exists in S3 buckets -CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}') -CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}') +download_package() { + local url=$1 + local package=$2 + local output=$2 + echo "Checking $url$package ..." + if curl -fsL "$url$package" -o "$output"; then + echo "Downloaded $package from $url" + return 0 + else + return 1 + fi +} -## If cert tool exists in some bucket, download it, if not exit 1 -if [ "$CERT_TOOL_PACKAGES" = "200" ]; then - curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL - echo "Cert tool exists in Packages bucket" -elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then - curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL - echo "Cert tool exists in Packages-dev bucket" +# Download the tool to create the certificates +echo "Downloading the tool to create the certificates..." +# Try first the prod URL, if it fails try the dev URL +if download_package "$PACKAGES_URL" "$CERT_TOOL"; then + : +elif download_package "$PACKAGES_DEV_URL" "$CERT_TOOL"; then + : else - echo "Cert tool does not exist in any bucket" - exit 1 + echo "The tool to create the certificates does not exist in any bucket" + echo "ERROR: certificates were not created" + exit 1 fi - -## Check if the password tool exists in S3 buckets -PASSWORD_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk '{print $2}') -PASSWORD_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk '{print $2}') - -## If password tool exists in some bucket, download it, if not exit 1 -if [ "$PASSWORD_TOOL_PACKAGES" = "200" ]; then - curl -o $PASSWORD_TOOL $PACKAGES_URL$PASSWORD_TOOL - echo "Password tool exists in Packages bucket" -elif [ "$PASSWORD_TOOL_PACKAGES_DEV" = "200" ]; then - curl -o $PASSWORD_TOOL $PACKAGES_DEV_URL$PASSWORD_TOOL - echo "Password tool exists in Packages-dev bucket" +# Download the config file for the certificate tool +echo "Downloading the config file for the certificate tool..." +# Try first the prod URL, if it fails try the dev URL +if download_package "$PACKAGES_URL" "$CERT_CONFIG_FILE"; then + : +elif download_package "$PACKAGES_DEV_URL" "$CERT_CONFIG_FILE"; then + : else - echo "Password tool does not exist in any bucket" - exit 1 + echo "The config file for the certificate tool does not exist in any bucket" + echo "ERROR: certificates were not created" + exit 1 fi -chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A +# Modify the config file to set the IP to localhost +sed -i 's/ ip:.*/ ip: "127.0.0.1"/' $CERT_CONFIG_FILE -# copy to target -mkdir -p ${TARGET_DIR}${INSTALLATION_DIR} -mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/ -mkdir -p ${TARGET_DIR}${CONFIG_DIR} -mkdir -p ${TARGET_DIR}${LIB_DIR} -mkdir -p ${TARGET_DIR}${LOG_DIR} -mkdir -p ${TARGET_DIR}/etc/init.d -mkdir -p ${TARGET_DIR}/etc/default -mkdir -p ${TARGET_DIR}/usr/lib/tmpfiles.d -mkdir -p ${TARGET_DIR}/usr/lib/sysctl.d -mkdir -p ${TARGET_DIR}/usr/lib/systemd/system -mkdir -p ${TARGET_DIR}${CONFIG_DIR}/certs -# Copy Wazuh's config files for the security plugin -cp -pr /roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/ -cp -pr /roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/ -cp -pr /action_groups.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/ -cp -pr /internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/ -cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR} -# Copy Wazuh indexer's certificates -cp -pr /wazuh-certificates/demo.indexer.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer.pem -cp -pr /wazuh-certificates/demo.indexer-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer-key.pem -cp -pr /wazuh-certificates/root-ca.key ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.key -cp -pr /wazuh-certificates/root-ca.pem ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.pem -cp -pr /wazuh-certificates/admin.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin.pem -cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin-key.pem +chmod 700 "$CERT_CONFIG_FILE" +# Create the certificates +chmod 755 "$CERT_TOOL" && bash "$CERT_TOOL" -A + +# Copy Wazuh indexer's certificates and config files to $CONFIG_DIR +mkdir -p ${CONFIG_DIR}/certs +mv /etc/wazuh-indexer/* ${CONFIG_DIR}/ +cp -pr /wazuh-certificates/node-1.pem ${CONFIG_DIR}/certs/indexer.pem +cp -pr /wazuh-certificates/node-1-key.pem ${CONFIG_DIR}/certs/indexer-key.pem +cp -pr /wazuh-certificates/root-ca.key ${CONFIG_DIR}/certs/root-ca.key +cp -pr /wazuh-certificates/root-ca.pem ${CONFIG_DIR}/certs/root-ca.pem +cp -pr /wazuh-certificates/admin.pem ${CONFIG_DIR}/certs/admin.pem +cp -pr /wazuh-certificates/admin-key.pem ${CONFIG_DIR}/certs/admin-key.pem + +# Modify opensearch.yml config paths +sed -i "s|/etc/wazuh-indexer|${CONFIG_DIR}|g" ${CONFIG_DIR}/opensearch.yml # Delete xms and xmx parameters in jvm.options -sed '/-Xms/d' -i /etc/wazuh-indexer/jvm.options -sed '/-Xmx/d' -i /etc/wazuh-indexer/jvm.options sed -i 's/-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/g' /etc/wazuh-indexer/jvm.options - -chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs -chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/* - -find ${TARGET_DIR} -type d -exec chmod 750 {} \; -find ${TARGET_DIR} -type f -perm 644 -exec chmod 640 {} \; -find ${TARGET_DIR} -type f -perm 664 -exec chmod 660 {} \; -find ${TARGET_DIR} -type f -perm 755 -exec chmod 750 {} \; -find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \; +chown -R ${USER}:${GROUP} ${CONFIG_DIR} +chmod -R 500 ${CONFIG_DIR}/certs +chmod -R 400 ${CONFIG_DIR}/certs/* \ No newline at end of file diff --git a/build-docker-images/wazuh-indexer/config/config.yml b/build-docker-images/wazuh-indexer/config/config.yml deleted file mode 100644 index e5383c7c..00000000 --- a/build-docker-images/wazuh-indexer/config/config.yml +++ /dev/null @@ -1,5 +0,0 @@ -nodes: - # Wazuh indexer server nodes - indexer: - - name: demo.indexer - ip: demo.indexer \ No newline at end of file diff --git a/build-docker-images/wazuh-indexer/config/internal_users.yml b/build-docker-images/wazuh-indexer/config/internal_users.yml deleted file mode 100644 index 40fcb9cd..00000000 --- a/build-docker-images/wazuh-indexer/config/internal_users.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# This is the internal user database -# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh - -_meta: - type: "internalusers" - config_version: 2 - -# Define your internal users here - -## Demo users - -admin: - hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" - reserved: true - backend_roles: - - "admin" - description: "Demo admin user" - -kibanaserver: - hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." - reserved: true - description: "Demo kibanaserver user" - -kibanaro: - hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" - reserved: false - backend_roles: - - "kibanauser" - - "readall" - attributes: - attribute1: "value1" - attribute2: "value2" - attribute3: "value3" - description: "Demo kibanaro user" - -logstash: - hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" - reserved: false - backend_roles: - - "logstash" - description: "Demo logstash user" - -readall: - hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" - reserved: false - backend_roles: - - "readall" - description: "Demo readall user" - -snapshotrestore: - hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" - reserved: false - backend_roles: - - "snapshotrestore" - description: "Demo snapshotrestore user" - -wazuh_admin: - hash: "$2y$12$d2awHiOYvZjI88VfsDON.u6buoBol0gYPJEgdG1ArKVE0OMxViFfu" - reserved: true - hidden: false - backend_roles: [] - attributes: {} - opendistro_security_roles: [] - static: false - -wazuh_user: - hash: "$2y$12$BQixeoQdRubZdVf/7sq1suHwiVRnSst1.lPI2M0.GPZms4bq2D9vO" - reserved: true - hidden: false - backend_roles: [] - attributes: {} - opendistro_security_roles: [] - static: false \ No newline at end of file diff --git a/build-docker-images/wazuh-indexer/config/opensearch.yml b/build-docker-images/wazuh-indexer/config/opensearch.yml deleted file mode 100644 index 1f057d73..00000000 --- a/build-docker-images/wazuh-indexer/config/opensearch.yml +++ /dev/null @@ -1,26 +0,0 @@ -network.host: "0.0.0.0" -node.name: "wazuh.indexer" -cluster.name: "wazuh-cluster" -path.data: /var/lib/wazuh-indexer -path.logs: /var/log/wazuh-indexer -discovery.type: single-node -plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/indexer.pem -plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/indexer-key.pem -plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/indexer.pem -plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/indexer-key.pem -plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.http.enabled: true -plugins.security.ssl.transport.enforce_hostname_verification: false -plugins.security.ssl.transport.resolve_hostname: false -plugins.security.authcz.admin_dn: -- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" -plugins.security.check_snapshot_restore_write_privileges: true -plugins.security.enable_snapshot_restore_privilege: true -plugins.security.nodes_dn: -- "CN=demo.indexer,OU=Wazuh,O=Wazuh,L=California,C=US" -plugins.security.restapi.roles_enabled: -- "all_access" -- "security_rest_api_access" -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] \ No newline at end of file diff --git a/build-docker-images/wazuh-indexer/config/roles.yml b/build-docker-images/wazuh-indexer/config/roles.yml deleted file mode 100644 index f8bc557a..00000000 --- a/build-docker-images/wazuh-indexer/config/roles.yml +++ /dev/null @@ -1,171 +0,0 @@ -_meta: - type: "roles" - config_version: 2 - -# Restrict users so they can only view visualization and dashboards on kibana -kibana_read_only: - reserved: true - -# The security REST API access role is used to assign specific users access to change the security settings through the REST API. -security_rest_api_access: - reserved: true - -# Allows users to view monitors, destinations and alerts -alerting_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/alerting/alerts/get' - - 'cluster:admin/opendistro/alerting/destination/get' - - 'cluster:admin/opendistro/alerting/monitor/get' - - 'cluster:admin/opendistro/alerting/monitor/search' - -# Allows users to view and acknowledge alerts -alerting_ack_alerts: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/alerting/alerts/*' - -# Allows users to use all alerting functionality -alerting_full_access: - reserved: true - cluster_permissions: - - 'cluster_monitor' - - 'cluster:admin/opendistro/alerting/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices_monitor' - - 'indices:admin/aliases/get' - - 'indices:admin/mappings/get' - -# Allow users to read Anomaly Detection detectors and results -anomaly_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/ad/detector/info' - - 'cluster:admin/opendistro/ad/detector/search' - - 'cluster:admin/opendistro/ad/detectors/get' - - 'cluster:admin/opendistro/ad/result/search' - - 'cluster:admin/opendistro/ad/tasks/search' - -# Allows users to use all Anomaly Detection functionality -anomaly_full_access: - reserved: true - cluster_permissions: - - 'cluster_monitor' - - 'cluster:admin/opendistro/ad/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices_monitor' - - 'indices:admin/aliases/get' - - 'indices:admin/mappings/get' - -# Allows users to read Notebooks -notebooks_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/notebooks/list' - - 'cluster:admin/opendistro/notebooks/get' - -# Allows users to all Notebooks functionality -notebooks_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/notebooks/create' - - 'cluster:admin/opendistro/notebooks/update' - - 'cluster:admin/opendistro/notebooks/delete' - - 'cluster:admin/opendistro/notebooks/get' - - 'cluster:admin/opendistro/notebooks/list' - -# Allows users to read and download Reports -reports_instances_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to read and download Reports and Report-definitions -reports_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/definition/get' - - 'cluster:admin/opendistro/reports/definition/list' - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to all Reports functionality -reports_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/definition/create' - - 'cluster:admin/opendistro/reports/definition/update' - - 'cluster:admin/opendistro/reports/definition/on_demand' - - 'cluster:admin/opendistro/reports/definition/delete' - - 'cluster:admin/opendistro/reports/definition/get' - - 'cluster:admin/opendistro/reports/definition/list' - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to use all asynchronous-search functionality -asynchronous_search_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/asynchronous_search/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:data/read/search*' - -# Allows users to read stored asynchronous-search results -asynchronous_search_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/asynchronous_search/get' - -wazuh_ui_user: - reserved: true - hidden: false - cluster_permissions: [] - index_permissions: - - index_patterns: - - "wazuh-*" - dls: "" - fls: [] - masked_fields: [] - allowed_actions: - - "read" - tenant_permissions: [] - static: false - -wazuh_ui_admin: - reserved: true - hidden: false - cluster_permissions: [] - index_permissions: - - index_patterns: - - "wazuh-*" - dls: "" - fls: [] - masked_fields: [] - allowed_actions: - - "read" - - "delete" - - "manage" - - "index" - tenant_permissions: [] - static: false - -# ISM API permissions role -manage_ism: - reserved: true - hidden: false - cluster_permissions: - - "manage_ism" - static: false \ No newline at end of file diff --git a/build-docker-images/wazuh-indexer/config/roles_mapping.yml b/build-docker-images/wazuh-indexer/config/roles_mapping.yml deleted file mode 100644 index 7fa57a4d..00000000 --- a/build-docker-images/wazuh-indexer/config/roles_mapping.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- -# In this file users, backendroles and hosts can be mapped to Wazuh indexer Security roles. -# Permissions for Wazuh indexer roles are configured in roles.yml - -_meta: - type: "rolesmapping" - config_version: 2 - -# Define your roles mapping here - -## Demo roles mapping - -all_access: - reserved: false - backend_roles: - - "admin" - description: "Maps admin to all_access" - -own_index: - reserved: false - users: - - "*" - description: "Allow full access to an index named like the username" - -logstash: - reserved: false - backend_roles: - - "logstash" - -kibana_user: - reserved: false - backend_roles: - - "kibanauser" - users: - - "wazuh_user" - - "wazuh_admin" - description: "Maps kibanauser to kibana_user" - -readall: - reserved: false - backend_roles: - - "readall" - -manage_snapshots: - reserved: false - backend_roles: - - "snapshotrestore" - -kibana_server: - reserved: true - users: - - "kibanaserver" - -wazuh_ui_admin: - reserved: true - hidden: false - backend_roles: [] - hosts: [] - users: - - "wazuh_admin" - - "kibanaserver" - and_backend_roles: [] - -wazuh_ui_user: - reserved: true - hidden: false - backend_roles: [] - hosts: [] - users: - - "wazuh_user" - and_backend_roles: [] - -# ISM API permissions role mapping -manage_ism: - reserved: true - hidden: false - users: - - "kibanaserver" \ No newline at end of file diff --git a/build-docker-images/wazuh-manager/config/filebeat.yml b/build-docker-images/wazuh-manager/config/filebeat.yml deleted file mode 100644 index c434a78c..00000000 --- a/build-docker-images/wazuh-manager/config/filebeat.yml +++ /dev/null @@ -1,31 +0,0 @@ - -# Wazuh - Filebeat configuration file -filebeat.modules: - - module: wazuh - alerts: - enabled: true - archives: - enabled: false - -setup.template.json.enabled: true -setup.template.overwrite: true -setup.template.json.path: '/etc/filebeat/wazuh-template.json' -setup.template.json.name: 'wazuh' -setup.ilm.enabled: false -output.elasticsearch: - hosts: ['https://wazuh.indexer:9200'] - #username: - #password: - #ssl.verification_mode: - #ssl.certificate_authorities: - #ssl.certificate: - #ssl.key: - -logging.metrics.enabled: false - -seccomp: - default_action: allow - syscalls: - - action: allow - names: - - rseq From 9f12a03bfcb9feb99238b841e1ec89ea98829078 Mon Sep 17 00:00:00 2001 From: Victor Carlos Erenu Date: Wed, 5 Nov 2025 22:12:17 +0700 Subject: [PATCH 2/6] Delete old comment --- build-docker-images/wazuh-indexer/config/config.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index f1b11890..e3573ace 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -85,7 +85,6 @@ cp -pr /wazuh-certificates/admin-key.pem ${CONFIG_DIR}/certs/admin-key.pem # Modify opensearch.yml config paths sed -i "s|/etc/wazuh-indexer|${CONFIG_DIR}|g" ${CONFIG_DIR}/opensearch.yml -# Delete xms and xmx parameters in jvm.options sed -i 's/-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/g' /etc/wazuh-indexer/jvm.options chown -R ${USER}:${GROUP} ${CONFIG_DIR} From e10480326753235f73c36e105fe011f7ad343326 Mon Sep 17 00:00:00 2001 From: Victor Carlos Erenu Date: Tue, 11 Nov 2025 00:13:46 +0700 Subject: [PATCH 3/6] Add Wazuh dashboard ad manager entrypoint configuration --- build-docker-images/wazuh-agent/Dockerfile | 1 + .../wazuh-dashboard/Dockerfile | 1 + .../wazuh-dashboard/config/config.sh | 2 +- .../wazuh-dashboard/config/entrypoint.sh | 179 +++++++++++++++++- .../config/wazuh_app_config.sh | 24 ++- build-docker-images/wazuh-indexer/Dockerfile | 3 +- .../wazuh-indexer/config/config.sh | 2 +- .../wazuh-indexer/config/entrypoint.sh | 158 +++++++--------- build-docker-images/wazuh-manager/Dockerfile | 1 + .../config/etc/cont-init.d/0-wazuh-init | 84 ++++++-- .../config/wazuh_cluster/entrypoint.sh | 85 +++++++++ .../config/wazuh_indexer/wazuh.indexer.yml | 12 +- 12 files changed, 425 insertions(+), 127 deletions(-) create mode 100755 single-node/config/wazuh_cluster/entrypoint.sh diff --git a/build-docker-images/wazuh-agent/Dockerfile b/build-docker-images/wazuh-agent/Dockerfile index 3b90c23e..46bcab1c 100644 --- a/build-docker-images/wazuh-agent/Dockerfile +++ b/build-docker-images/wazuh-agent/Dockerfile @@ -20,6 +20,7 @@ RUN URL_VAR="wazuh_agent_url_${TARGETARCH}_rpm" && \ dnf install curl-minimal tar gzip procps -y &&\ curl -o /wazuh-agent.rpm "${agent_url}" && \ dnf install /wazuh-agent.rpm -y && \ + rm -rf /wazuh-agent.rpm && \ dnf clean all && \ sed -i '//d' /var/ossec/etc/ossec.conf && \ curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ diff --git a/build-docker-images/wazuh-dashboard/Dockerfile b/build-docker-images/wazuh-dashboard/Dockerfile index c02123d6..780f28f6 100644 --- a/build-docker-images/wazuh-dashboard/Dockerfile +++ b/build-docker-images/wazuh-dashboard/Dockerfile @@ -15,6 +15,7 @@ RUN URL_VAR="wazuh_dashboard_url_${TARGETARCH}_rpm" && \ dnf install curl-minimal libcap openssl -y && \ curl -o /wazuh-dashboard.rpm "${dashboard_url}" && \ dnf install /wazuh-dashboard.rpm -y && \ + rm -rf /wazuh-dashboard.rpm && \ dnf clean all # Create and set permissions to data directories diff --git a/build-docker-images/wazuh-dashboard/config/config.sh b/build-docker-images/wazuh-dashboard/config/config.sh index 36011034..23879717 100644 --- a/build-docker-images/wazuh-dashboard/config/config.sh +++ b/build-docker-images/wazuh-dashboard/config/config.sh @@ -10,7 +10,7 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config ## Variables CERT_TOOL=wazuh-certs-tool.sh CERT_CONFIG_FILE=config.yml -CERT_TOOL_VERSION="${WAZUH_VERSION%.*}" +CERT_TOOL_VERSION=5.0 #"${WAZUH_VERSION%.*}" PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/ PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/ diff --git a/build-docker-images/wazuh-dashboard/config/entrypoint.sh b/build-docker-images/wazuh-dashboard/config/entrypoint.sh index 290f9fa8..ea9974f1 100644 --- a/build-docker-images/wazuh-dashboard/config/entrypoint.sh +++ b/build-docker-images/wazuh-dashboard/config/entrypoint.sh @@ -1,20 +1,181 @@ #!/bin/bash # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2) -INSTALL_DIR=/usr/share/wazuh-dashboard +# Run Wazuh dashboard, using environment variables to +# set longopts defining Wazuh dashboard's configuration. +# +# eg. Setting the environment variable: +# +# OPENSEARCH_STARTUPTIMEOUT=60 +# +# will cause OpenSearch-Dashboards to be invoked with: +# +# --opensearch.startupTimeout=60 + +# Setup Home Directory +export OPENSEARCH_DASHBOARDS_HOME=/usr/share/wazuh-dashboard +export PATH=$OPENSEARCH_DASHBOARDS_HOME/bin:$PATH DASHBOARD_USERNAME="${DASHBOARD_USERNAME:-kibanaserver}" DASHBOARD_PASSWORD="${DASHBOARD_PASSWORD:-kibanaserver}" # Create and configure Wazuh dashboard keystore -yes | $INSTALL_DIR/bin/opensearch-dashboards-keystore create --allow-root && \ -echo $DASHBOARD_USERNAME | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \ -echo $DASHBOARD_PASSWORD | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root +yes | $OPENSEARCH_DASHBOARDS_HOME/bin/opensearch-dashboards-keystore create --allow-root && \ +echo $DASHBOARD_USERNAME | $OPENSEARCH_DASHBOARDS_HOME/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \ +echo $DASHBOARD_PASSWORD | $OPENSEARCH_DASHBOARDS_HOME/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root -############################################################################## -# Start Wazuh dashboard -############################################################################## +opensearch_dashboards_vars=( + console.enabled + console.proxyConfig + console.proxyFilter + ops.cGroupOverrides.cpuPath + ops.cGroupOverrides.cpuAcctPath + cpu.cgroup.path.override + cpuacct.cgroup.path.override + csp.rules + csp.strict + csp.warnLegacyBrowsers + data.search.usageTelemetry.enabled + opensearch.customHeaders + opensearch.hosts + opensearch.logQueries + opensearch.memoryCircuitBreaker.enabled + opensearch.memoryCircuitBreaker.maxPercentage + opensearch.password + opensearch.pingTimeout + opensearch.requestHeadersWhitelist + opensearch.requestTimeout + opensearch.shardTimeout + opensearch.sniffInterval + opensearch.sniffOnConnectionFault + opensearch.sniffOnStart + opensearch.ssl.alwaysPresentCertificate + opensearch.ssl.certificate + opensearch.ssl.certificateAuthorities + opensearch.ssl.key + opensearch.ssl.keyPassphrase + opensearch.ssl.keystore.path + opensearch.ssl.keystore.password + opensearch.ssl.truststore.path + opensearch.ssl.truststore.password + opensearch.ssl.verificationMode + opensearch.username + i18n.locale + interpreter.enableInVisualize + opensearchDashboards.autocompleteTerminateAfter + opensearchDashboards.autocompleteTimeout + opensearchDashboards.defaultAppI + server.rewriteBasePath + server.socketTimeout + server.ssl.cert + server.ssl.certificate + server.ssl.certificateAuthorities + server.ssl.cipherSuites + server.ssl.clientAuthentication + server.customResponseHeaders + server.ssl.enabled + server.ssl.key + server.ssl.keyPassphrase + server.ssl.keystore.path + server.ssl.keystore.password + server.ssl.truststore.path + server.ssl.truststore.password + server.ssl.redirectHttpFromPort + server.ssl.supportedProtocols + server.xsrf.disableProtection + server.xsrf.whitelist + status.allowAnonymous + status.v6ApiFormat + tilemap.options.attribution + tilemap.options.maxZoom + tilemap.options.minZoom + tilemap.options.subdomains + tilemap.url + timeline.enabled + vega.enableExternalUrls + apm_oss.apmAgentConfigurationIndex + apm_oss.indexPattern + apm_oss.errorIndices + apm_oss.onboardingIndices + apm_oss.spanIndices + apm_oss.sourcemapIndices + apm_oss.transactionIndices + apm_oss.metricsIndices + telemetry.allowChangingOptInStatus + telemetry.enabled + telemetry.optIn + telemetry.optInStatusUrl + telemetry.sendUsageFrom + vis_builder.enabled + data_source.enabled + data_source.encryption.wrappingKeyName + data_source.encryption.wrappingKeyNamespace + data_source.encryption.wrappingKey + data_source.audit.enabled + data_source.audit.appender.kind + data_source.audit.appender.path + data_source.audit.appender.layout.kind + data_source.audit.appender.layout.highlight + data_source.audit.appender.layout.pattern + ml_commons_dashboards.enabled + observability.query_assist.enabled + usageCollection.uiMetric.enabled + workspace.enabled + assistant.chat.enabled + assistant.alertInsight.enabled + assistant.smartAnomalyDetector.enabled + assistant.text2viz.enabled + queryEnhancements.queryAssist.summary.enabled +) -/wazuh_app_config.sh $WAZUH_UI_REVISION +function runOpensearchDashboards { + longopts=() + for opensearch_dashboards_var in ${opensearch_dashboards_vars[*]}; do + # 'opensearch.hosts' -> 'OPENSEARCH_URL' + env_var=$(echo ${opensearch_dashboards_var^^} | tr . _) -/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c /usr/share/wazuh-dashboard/config/opensearch_dashboards.yml \ No newline at end of file + # Indirectly lookup env var values via the name of the var. + # REF: http://tldp.org/LDP/abs/html/bashver2.html#EX78 + value=${!env_var} + if [[ -n $value ]]; then + longopt="--${opensearch_dashboards_var}=${value}" + longopts+=("${longopt}") + fi + done + + # Files created at run-time should be group-writable, for Openshift's sake. + umask 0002 + + # TO DO: + # Confirm with Mihir if this is necessary + + # The virtual file /proc/self/cgroup should list the current cgroup + # membership. For each hierarchy, you can follow the cgroup path from + # this file to the cgroup filesystem (usually /sys/fs/cgroup/) and + # introspect the statistics for the cgroup for the given + # hierarchy. Alas, Docker breaks this by mounting the container + # statistics at the root while leaving the cgroup paths as the actual + # paths. Therefore, OpenSearch-Dashboards provides a mechanism to override + # reading the cgroup path from /proc/self/cgroup and instead uses the + # cgroup path defined the configuration properties + # cpu.cgroup.path.override and cpuacct.cgroup.path.override. + # Therefore, we set this value here so that cgroup statistics are + # available for the container this process will run in. + + exec "$@" \ + --ops.cGroupOverrides.cpuPath=/ \ + --ops.cGroupOverrides.cpuAcctPath=/ \ + "${longopts[@]}" +} + +# Prepend "opensearch-dashboards" command if no argument was provided or if the +# first argument looks like a flag (i.e. starts with a dash). +if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then + set -- opensearch-dashboards "$@" +fi + +if [ "$1" = "opensearch-dashboards" ]; then + runOpensearchDashboards "$@" +else + exec "$@" +fi \ No newline at end of file diff --git a/build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh b/build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh index e98a8b46..1410d5be 100644 --- a/build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh +++ b/build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh @@ -32,13 +32,19 @@ do fi done -cat << EOF >> $dashboard_config_file -hosts: - - 1513629884013: - url: $wazuh_url - port: $wazuh_port - username: $api_username - password: $api_password - run_as: $api_run_as -EOF +grep -q 1513629884013 $dashboard_config_file +_config_exists=$? +if [[ $_config_exists -ne 0 ]]; then + cat << EOF >> $dashboard_config_file + hosts: + - 1513629884013: + url: $wazuh_url + port: $wazuh_port + username: $api_username + password: $api_password + run_as: $api_run_as + EOF +else + echo "Wazuh APP already configured" +fi diff --git a/build-docker-images/wazuh-indexer/Dockerfile b/build-docker-images/wazuh-indexer/Dockerfile index 3772bd10..ada8d8d6 100644 --- a/build-docker-images/wazuh-indexer/Dockerfile +++ b/build-docker-images/wazuh-indexer/Dockerfile @@ -14,6 +14,7 @@ RUN URL_VAR="wazuh_indexer_url_${TARGETARCH}_rpm" && \ dnf install curl-minimal openssl xz tar findutils shadow-utils -y &&\ curl -o /wazuh-indexer.rpm "${indexer_url}" && \ dnf install /wazuh-indexer.rpm -y && \ + rm -rf /wazuh-indexer.rpm && \ dnf clean all && \ bash config.sh @@ -69,4 +70,4 @@ EXPOSE 9200 ENTRYPOINT ["/entrypoint.sh"] # Dummy overridable parameter parsed by entrypoint -CMD ["opensearchwrapper"] \ No newline at end of file +CMD ["opensearch"] \ No newline at end of file diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index e3573ace..4ff30da5 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -22,7 +22,7 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config ## Variables CERT_TOOL=wazuh-certs-tool.sh CERT_CONFIG_FILE=config.yml -CERT_TOOL_VERSION="${WAZUH_VERSION%.*}" +CERT_TOOL_VERSION=5.0 #"${WAZUH_VERSION%.*}" PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/ PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/ diff --git a/build-docker-images/wazuh-indexer/config/entrypoint.sh b/build-docker-images/wazuh-indexer/config/entrypoint.sh index caddb80e..8b2c3834 100644 --- a/build-docker-images/wazuh-indexer/config/entrypoint.sh +++ b/build-docker-images/wazuh-indexer/config/entrypoint.sh @@ -1,93 +1,77 @@ -#!/usr/bin/env bash -# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2) -set -e +#!/bin/bash -umask 0002 +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 -export USER=wazuh-indexer -export INSTALLATION_DIR=/usr/share/wazuh-indexer -export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config -export JAVA_HOME=${INSTALLATION_DIR}/jdk -export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml) -export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml) -export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem" -export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem" +# This script specify the entrypoint startup actions for opensearch +# It will start both opensearch and performance analyzer plugin cli +# If either process failed, the entire docker container will be removed +# in favor of a newly started container + +# Export OpenSearch Home +export OPENSEARCH_HOME=/usr/share/wazuh-indexer +export OPENSEARCH_PATH_CONF=$OPENSEARCH_HOME/config +export PATH=$OPENSEARCH_HOME/bin:$PATH + + +# The virtual file /proc/self/cgroup should list the current cgroup +# membership. For each hierarchy, you can follow the cgroup path from +# this file to the cgroup filesystem (usually /sys/fs/cgroup/) and +# introspect the statistics for the cgroup for the given +# hierarchy. Alas, Docker breaks this by mounting the container +# statistics at the root while leaving the cgroup paths as the actual +# paths. Therefore, OpenSearch provides a mechanism to override +# reading the cgroup path from /proc/self/cgroup and instead uses the +# cgroup path defined the JVM system property +# opensearch.cgroups.hierarchy.override. Therefore, we set this value here so +# that cgroup statistics are available for the container this process +# will run in. +export OPENSEARCH_JAVA_OPTS="-Dopensearch.cgroups.hierarchy.override=/ $OPENSEARCH_JAVA_OPTS" + +# Start up the opensearch and performance analyzer agent processes. +# When either of them halts, this script exits, or we receive a SIGTERM or SIGINT signal then we want to kill both these processes. +function runOpensearch { + # Files created by OpenSearch should always be group writable too + umask 0002 + + if [[ "$(id -u)" == "0" ]]; then + echo "Wazuh indexer cannot run as root. Please start your container as another user." + exit 1 + fi + + # Parse Docker env vars to customize Wazuh indexer / OpenSearch configuration + # + # e.g. Setting the env var cluster.name=testcluster + # will cause Wazuh indexer to be invoked with -Ecluster.name=testcluster + opensearch_opts=() + while IFS='=' read -r envvar_key envvar_value + do + # OpenSearch settings need to have at least two dot separated lowercase + # words, e.g. `cluster.name`, except for `processors` which we handle + # specially + if [[ "$envvar_key" =~ ^[a-z0-9_]+\.[a-z0-9_]+ || "$envvar_key" == "processors" ]]; then + if [[ ! -z $envvar_value ]]; then + opensearch_opt="-E${envvar_key}=${envvar_value}" + opensearch_opts+=("${opensearch_opt}") + fi + fi + done < <(env) + + # Start opensearch + exec "$@" "${opensearch_opts[@]}" -run_as_other_user_if_needed() { - if [[ "$(id -u)" == "0" ]]; then - # If running as root, drop to specified UID and run command - exec chroot --userspec=1000:0 / "${@}" - else - # Either we are running in Openshift with random uid and are a member of the root group - # or with a custom --user - exec "${@}" - fi } -# Allow user specify custom CMD, maybe bin/opensearch itself -# for example to directly specify `-E` style parameters for opensearch on k8s -# or simply to run /bin/bash to check the image -if [[ "$1" != "opensearchwrapper" ]]; then - if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then - # Rewrite CMD args to replace $1 with `opensearch` explicitly, - # Without this, user could specify `opensearch -E x.y=z` but - # `bin/opensearch -E x.y=z` would not work. - set -- "opensearch" "${@:2}" - # Use chroot to switch to UID 1000 / GID 0 - exec chroot --userspec=1000:0 / "$@" - else - # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?) +# Prepend "opensearch" command if no argument was provided or if the first +# argument looks like a flag (i.e. starts with a dash). +if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then + set -- opensearch "$@" +fi + +if [ "$1" = "opensearch" ]; then + # If the first argument is opensearch, then run the setup script. + runOpensearch "$@" +else + # Otherwise, just exec the command. exec "$@" - fi -fi - -# Allow environment variables to be set by creating a file with the -# contents, and setting an environment variable with the suffix _FILE to -# point to it. This can be used to provide secrets to a container, without -# the values being specified explicitly when running the container. -# -# This is also sourced in opensearch-env, and is only needed here -# as well because we use INDEXER_PASSWORD below. Sourcing this script -# is idempotent. -source /usr/share/wazuh-indexer/bin/opensearch-env-from-file - -if [[ -f bin/opensearch-users ]]; then - # Check for the INDEXER_PASSWORD environment variable to set the - # bootstrap password for Security. - # - # This is only required for the first node in a cluster with Security - # enabled, but we have no way of knowing which node we are yet. We'll just - # honor the variable if it's present. - if [[ -n "$INDEXER_PASSWORD" ]]; then - [[ -f /usr/share/wazuh-indexer/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create) - if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then - # keystore is unencrypted - if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then - (run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password') - fi - else - # keystore requires password - if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \ - | opensearch-keystore list | grep -q '^bootstrap.password$') ; then - COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")" - (run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password') - fi - fi - fi -fi - -if [[ "$(id -u)" == "0" ]]; then - # If requested and running as root, mutate the ownership of bind-mounts - if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then - chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs} - fi -fi - - -#if [[ "$DISCOVERY" == "single-node" ]] && [[ ! -f "/var/lib/wazuh-indexer/.flag" ]]; then - # run securityadmin.sh for single node with CACERT, CERT and KEY parameter -# nohup /securityadmin.sh & -# touch "/var/lib/wazuh-indexer/.flag" -#fi - -run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD" \ No newline at end of file +fi \ No newline at end of file diff --git a/build-docker-images/wazuh-manager/Dockerfile b/build-docker-images/wazuh-manager/Dockerfile index 258638e4..64c7059f 100644 --- a/build-docker-images/wazuh-manager/Dockerfile +++ b/build-docker-images/wazuh-manager/Dockerfile @@ -16,6 +16,7 @@ RUN URL_VAR="wazuh_manager_url_${TARGETARCH}_rpm" && \ dnf clean all && \ curl -o /wazuh-manager.rpm "${manager_url}" && \ dnf install /wazuh-manager.rpm -y && \ + rm -rf /wazuh-manager.rpm && \ dnf clean all && \ curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ -o /tmp/s6-overlay-amd64.tar.gz && \ diff --git a/build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init b/build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init index ca125b1b..a91d6b1e 100644 --- a/build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init +++ b/build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init @@ -152,18 +152,76 @@ set_custom_hostname() { sed -i 's/to_be_replaced_by_hostname<\/node_name>/'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf } -############################################################################## -# Allow users to set the container cluster key dynamically on -# container start. -# -# To use this: -# 1. Create your own ossec.conf file -# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key -# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf -############################################################################## +function_configure_ossec_conf() { +OSSEC_CONF="${WAZUH_INSTALL_PATH}/etc/ossec.conf" -set_custom_cluster_key() { - sed -i 's/to_be_replaced_by_cluster_key<\/key>/'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf +# -------------------------- +# Defaults based on OSSEC_CONF +# -------------------------- +if [[ -z "$WAZUH_CLUSTER_KEY" ]]; then + WAZUH_CLUSTER_KEY=$(sed -n '//,/<\/cluster>/s/.*\(.*\)<\/key>.*/\1/p' "$OSSEC_CONF" | head -n1) +fi + +# Node type logic +if [[ "$WAZUH_NODE_TYPE" != "worker" ]]; then + WAZUH_NODE_TYPE="master" +fi + +# Default node name → HOSTNAME if not defined +WAZUH_NODE_NAME="${WAZUH_NODE_NAME:-$HOSTNAME}" + +# -------------------------- +# Replace Indexer Hosts +# -------------------------- +if [[ -n "$WAZUH_INDEXER_HOSTS" ]]; then + TMP_HOSTS=$(mktemp) + { + echo " " + for NODE in $WAZUH_INDEXER_HOSTS; do + IP="${NODE%:*}" + PORT="${NODE#*:}" + echo " https://$IP:$PORT" + done + echo " " + } > "$TMP_HOSTS"; + sed -i -e '//,/<\/indexer>/{ //,/<\/hosts>/{ //r '"$TMP_HOSTS" \ + -e 'd }}' "$OSSEC_CONF"; + rm -f "$TMP_HOSTS"; +fi + +# -------------------------- +# Cluster: node_name +# -------------------------- +sed -i "//,/<\/cluster>/ s|.*|$WAZUH_NODE_NAME|" "$OSSEC_CONF" + +# -------------------------- +# Cluster: node_type +# -------------------------- +sed -i "//,/<\/cluster>/ s|.*|$WAZUH_NODE_TYPE|" "$OSSEC_CONF" + +# -------------------------- +# Cluster: key +# -------------------------- +sed -i "//,/<\/cluster>/ s|.*|$WAZUH_CLUSTER_KEY|" "$OSSEC_CONF" + +# -------------------------- +# Cluster: nodes list +# -------------------------- +if [[ -n "$WAZUH_CLUSTER_NODES" ]]; then + TMP_NODES=$(mktemp) + { + echo " " + for N in $WAZUH_CLUSTER_NODES; do + echo " $N" + done + echo " " + } > "$TMP_NODES"; + sed -i -e '//,/<\/cluster>/{ //,/<\/nodes>/{ //r '"$TMP_NODES" \ + -e 'd }}' "$OSSEC_CONF"; + rm -f "$TMP_NODES"; +fi + +echo "Wazuh manager config modified successfully." } ############################################################################## @@ -221,8 +279,8 @@ main() { # Allow setting custom hostname set_custom_hostname - # Allow setting custom cluster key - set_custom_cluster_key + # Configure ossec.conf based on environment variables + function_configure_ossec_conf # Delete temporary data folder rm -rf ${WAZUH_INSTALL_PATH}/data_tmp diff --git a/single-node/config/wazuh_cluster/entrypoint.sh b/single-node/config/wazuh_cluster/entrypoint.sh new file mode 100755 index 00000000..51f53312 --- /dev/null +++ b/single-node/config/wazuh_cluster/entrypoint.sh @@ -0,0 +1,85 @@ +#!/bin/bash +set -xe + +OSSEC_CONF="ossec.conf" + +# -------------------------- +# Defaults based on OSSEC_CONF +# -------------------------- +if [[ -z "$WAZUH_CLUSTER_KEY" ]]; then + WAZUH_CLUSTER_KEY=$(sed -n '//,/<\/cluster>/s/.*\(.*\)<\/key>.*/\1/p' "$OSSEC_CONF" | head -n1) +fi + +if [[ -z "$WAZUH_CLUSTER_PORT" ]]; then + WAZUH_CLUSTER_PORT=$(sed -n '//,/<\/cluster>/s/.*\(.*\)<\/port>.*/\1/p' "$OSSEC_CONF" | head -n1) +fi + +# Node type logic +if [[ -z "$WAZUH_NODE_TYPE" ]]; then + if [[ "$HOSTNAME" == "manager" || "$HOSTNAME" == "aio_node" ]]; then + WAZUH_NODE_TYPE="master" + else + WAZUH_NODE_TYPE="worker" + fi +fi + +# Default node name → HOSTNAME if not defined +WAZUH_NODE_NAME="${WAZUH_NODE_NAME:-$HOSTNAME}" + +# -------------------------- +# Replace Indexer Hosts +# -------------------------- +if [[ -n "$WAZUH_INDEXER_HOSTS" ]]; then + TMP_HOSTS=$(mktemp) + { + echo " " + for NODE in $WAZUH_INDEXER_HOSTS; do + IP="${NODE%:*}" + PORT="${NODE#*:}" + echo " https://$IP:$PORT" + done + echo " " + } > "$TMP_HOSTS"; + sed -i -e '//,/<\/indexer>/{ //,/<\/hosts>/{ //r '"$TMP_HOSTS" \ + -e 'd }}' "$OSSEC_CONF"; + rm -f "$TMP_HOSTS"; +fi + +# -------------------------- +# Cluster: node_name +# -------------------------- +sed -i "//,/<\/cluster>/ s|.*|$WAZUH_NODE_NAME|" "$OSSEC_CONF" + +# -------------------------- +# Cluster: node_type +# -------------------------- +sed -i "//,/<\/cluster>/ s|.*|$WAZUH_NODE_TYPE|" "$OSSEC_CONF" + +# -------------------------- +# Cluster: key +# -------------------------- +sed -i "//,/<\/cluster>/ s|.*|$WAZUH_CLUSTER_KEY|" "$OSSEC_CONF" + +# -------------------------- +# Cluster: port +# -------------------------- +sed -i "//,/<\/cluster>/ s|.*|$WAZUH_CLUSTER_PORT|" "$OSSEC_CONF" + +# -------------------------- +# Cluster: nodes list +# -------------------------- +if [[ -n "$WAZUH_CLUSTER_NODES" ]]; then + TMP_NODES=$(mktemp) + { + echo " " + for N in $WAZUH_CLUSTER_NODES; do + echo " $N" + done + echo " " + } > "$TMP_NODES"; + sed -i -e '//,/<\/cluster>/{ //,/<\/nodes>/{ //r '"$TMP_NODES" \ + -e 'd }}' "$OSSEC_CONF"; + rm -f "$TMP_NODES"; +fi + +echo "Wazuh manager config modified successfully." diff --git a/single-node/config/wazuh_indexer/wazuh.indexer.yml b/single-node/config/wazuh_indexer/wazuh.indexer.yml index 655a16a4..3fc295a4 100644 --- a/single-node/config/wazuh_indexer/wazuh.indexer.yml +++ b/single-node/config/wazuh_indexer/wazuh.indexer.yml @@ -6,12 +6,12 @@ path.logs: /var/log/wazuh-indexer discovery.type: single-node http.port: 9200-9299 transport.tcp.port: 9300-9399 -plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem -plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key -plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem -plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key -plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem +plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem +plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key +plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem +plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key +plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.resolve_hostname: false From cd8253845fc6b7c46162b9fcd20c8b00266f8fad Mon Sep 17 00:00:00 2001 From: Victor Carlos Erenu Date: Tue, 11 Nov 2025 20:24:45 +0700 Subject: [PATCH 4/6] Modify cert generation process --- .../Procedure_push_docker_images.yml | 2 + build-docker-images/build-images.yml | 6 +++ .../wazuh-dashboard/Dockerfile | 2 + .../wazuh-dashboard/config/config.sh | 49 +++---------------- build-docker-images/wazuh-indexer/Dockerfile | 2 + .../wazuh-indexer/config/config.sh | 47 ++---------------- build-docker-images/wazuh-manager/Dockerfile | 6 +++ .../wazuh-manager/config/config.sh | 28 +++++++++++ 8 files changed, 59 insertions(+), 83 deletions(-) create mode 100644 build-docker-images/wazuh-manager/config/config.sh diff --git a/.github/workflows/Procedure_push_docker_images.yml b/.github/workflows/Procedure_push_docker_images.yml index c6b17fe0..49292201 100644 --- a/.github/workflows/Procedure_push_docker_images.yml +++ b/.github/workflows/Procedure_push_docker_images.yml @@ -146,6 +146,8 @@ jobs: wazuh_agent_url_i386_msi: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.i386.msi --expires-in 3600 --region us-west-1)" wazuh_agent_url_intel64_pkg: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.intel64.pkg --expires-in 3600 --region us-west-1)" wazuh_agent_url_arm64_pkg: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.arm64.pkg --expires-in 3600 --region us-west-1)" + wazuh_cert_tool: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/secondary/installation-assistant/5.0.0/wazuh-certs-tool.sh --expires-in 3600 --region us-west-1)" + wazuh_config_yml: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/secondary/installation-assistant/5.0.0/config.yml --expires-in 3600 --region us-west-1)" EOF working-directory: ./build-docker-images diff --git a/build-docker-images/build-images.yml b/build-docker-images/build-images.yml index 9ed60754..a6478b17 100644 --- a/build-docker-images/build-images.yml +++ b/build-docker-images/build-images.yml @@ -8,6 +8,8 @@ services: WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION} wazuh_manager_url_amd64_rpm: ${wazuh_manager_url_x86_64_rpm} wazuh_manager_url_arm64_rpm: ${wazuh_manager_url_aarch64_rpm} + wazuh_cert_tool: ${wazuh_cert_tool} + wazuh_config_yml: ${wazuh_config_yml} image: ${WAZUH_REGISTRY}/wazuh/wazuh-manager:${IMAGE_TAG} hostname: wazuh.manager restart: always @@ -49,6 +51,8 @@ services: WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION} wazuh_indexer_url_amd64_rpm: ${wazuh_indexer_url_x86_64_rpm} wazuh_indexer_url_arm64_rpm: ${wazuh_indexer_url_aarch64_rpm} + wazuh_cert_tool: ${wazuh_cert_tool} + wazuh_config_yml: ${wazuh_config_yml} image: ${WAZUH_REGISTRY}/wazuh/wazuh-indexer:${IMAGE_TAG} hostname: wazuh.indexer restart: always @@ -73,6 +77,8 @@ services: WAZUH_UI_REVISION: ${WAZUH_UI_REVISION} wazuh_dashboard_url_amd64_rpm: ${wazuh_dashboard_url_x86_64_rpm} wazuh_dashboard_url_arm64_rpm: ${wazuh_dashboard_url_aarch64_rpm} + wazuh_cert_tool: ${wazuh_cert_tool} + wazuh_config_yml: ${wazuh_config_yml} image: ${WAZUH_REGISTRY}/wazuh/wazuh-dashboard:${IMAGE_TAG} hostname: wazuh.dashboard restart: always diff --git a/build-docker-images/wazuh-dashboard/Dockerfile b/build-docker-images/wazuh-dashboard/Dockerfile index 780f28f6..8184853f 100644 --- a/build-docker-images/wazuh-dashboard/Dockerfile +++ b/build-docker-images/wazuh-dashboard/Dockerfile @@ -8,6 +8,8 @@ ARG INSTALL_DIR=/usr/share/wazuh-dashboard ARG TARGETARCH ARG wazuh_dashboard_url_amd64_rpm ARG wazuh_dashboard_url_arm64_rpm +ARG wazuh_cert_tool +ARG wazuh_config_yml # Update and install dependencies RUN URL_VAR="wazuh_dashboard_url_${TARGETARCH}_rpm" && \ diff --git a/build-docker-images/wazuh-dashboard/config/config.sh b/build-docker-images/wazuh-dashboard/config/config.sh index 23879717..4b6a2fcd 100644 --- a/build-docker-images/wazuh-dashboard/config/config.sh +++ b/build-docker-images/wazuh-dashboard/config/config.sh @@ -7,51 +7,18 @@ export TARGET_DIR=${CURDIR}/debian/${NAME} export INSTALLATION_DIR=/usr/share/${NAME} export CONFIG_DIR=${INSTALLATION_DIR}/config -## Variables -CERT_TOOL=wazuh-certs-tool.sh -CERT_CONFIG_FILE=config.yml -CERT_TOOL_VERSION=5.0 #"${WAZUH_VERSION%.*}" -PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/ -PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/ - -download_package() { - local url=$1 - local package=$2 - local output=$2 - echo "Checking $url$package ..." - if curl -fsL "$url$package" -o "$output"; then - echo "Downloaded $package from $url" - return 0 - else - return 1 - fi -} - +############################################################################## +# Downloading Cert Gen Tool +############################################################################## +# Variables for certificate generation +CERT_TOOL="wazuh-certs-tool.sh" +CERT_CONFIG_FILE="config.yml" # Download the tool to create the certificates echo "Downloading the tool to create the certificates..." -# Try first the prod URL, if it fails try the dev URL -if download_package "$PACKAGES_URL" "$CERT_TOOL"; then - : -elif download_package "$PACKAGES_DEV_URL" "$CERT_TOOL"; then - : -else - echo "The tool to create the certificates does not exist in any bucket" - echo "ERROR: certificates were not created" - exit 1 -fi - +curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL # Download the config file for the certificate tool echo "Downloading the config file for the certificate tool..." -# Try first the prod URL, if it fails try the dev URL -if download_package "$PACKAGES_URL" "$CERT_CONFIG_FILE"; then - : -elif download_package "$PACKAGES_DEV_URL" "$CERT_CONFIG_FILE"; then - : -else - echo "The config file for the certificate tool does not exist in any bucket" - echo "ERROR: certificates were not created" - exit 1 -fi +curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE # Modify the config file to set the IP to localhost sed -i 's/ ip:.*/ ip: "127.0.0.1"/' $CERT_CONFIG_FILE diff --git a/build-docker-images/wazuh-indexer/Dockerfile b/build-docker-images/wazuh-indexer/Dockerfile index ada8d8d6..51ca78d0 100644 --- a/build-docker-images/wazuh-indexer/Dockerfile +++ b/build-docker-images/wazuh-indexer/Dockerfile @@ -6,6 +6,8 @@ ARG WAZUH_TAG_REVISION ARG TARGETARCH ARG wazuh_indexer_url_amd64_rpm ARG wazuh_indexer_url_arm64_rpm +ARG wazuh_cert_tool +ARG wazuh_config_yml COPY config/config.sh . diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 4ff30da5..7bcd68de 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -18,52 +18,15 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config ############################################################################## # Downloading Cert Gen Tool ############################################################################## - -## Variables -CERT_TOOL=wazuh-certs-tool.sh -CERT_CONFIG_FILE=config.yml -CERT_TOOL_VERSION=5.0 #"${WAZUH_VERSION%.*}" -PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/ -PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/ - -download_package() { - local url=$1 - local package=$2 - local output=$2 - echo "Checking $url$package ..." - if curl -fsL "$url$package" -o "$output"; then - echo "Downloaded $package from $url" - return 0 - else - return 1 - fi -} - +# Variables for certificate generation +CERT_TOOL="wazuh-certs-tool.sh" +CERT_CONFIG_FILE="config.yml" # Download the tool to create the certificates echo "Downloading the tool to create the certificates..." -# Try first the prod URL, if it fails try the dev URL -if download_package "$PACKAGES_URL" "$CERT_TOOL"; then - : -elif download_package "$PACKAGES_DEV_URL" "$CERT_TOOL"; then - : -else - echo "The tool to create the certificates does not exist in any bucket" - echo "ERROR: certificates were not created" - exit 1 -fi - +curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL # Download the config file for the certificate tool echo "Downloading the config file for the certificate tool..." -# Try first the prod URL, if it fails try the dev URL -if download_package "$PACKAGES_URL" "$CERT_CONFIG_FILE"; then - : -elif download_package "$PACKAGES_DEV_URL" "$CERT_CONFIG_FILE"; then - : -else - echo "The config file for the certificate tool does not exist in any bucket" - echo "ERROR: certificates were not created" - exit 1 -fi +curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE # Modify the config file to set the IP to localhost sed -i 's/ ip:.*/ ip: "127.0.0.1"/' $CERT_CONFIG_FILE diff --git a/build-docker-images/wazuh-manager/Dockerfile b/build-docker-images/wazuh-manager/Dockerfile index 64c7059f..d7969b15 100644 --- a/build-docker-images/wazuh-manager/Dockerfile +++ b/build-docker-images/wazuh-manager/Dockerfile @@ -9,6 +9,10 @@ ARG S6_VERSION="v2.2.0.3" ARG TARGETARCH ARG wazuh_manager_url_amd64_rpm ARG wazuh_manager_url_arm64_rpm +ARG wazuh_cert_tool +ARG wazuh_config_yml + +COPY config/config.sh . RUN URL_VAR="wazuh_manager_url_${TARGETARCH}_rpm" && \ manager_url="${!URL_VAR}" && \ @@ -18,6 +22,8 @@ RUN URL_VAR="wazuh_manager_url_${TARGETARCH}_rpm" && \ dnf install /wazuh-manager.rpm -y && \ rm -rf /wazuh-manager.rpm && \ dnf clean all && \ + chmod 755 /config.sh && \ + /config.sh && \ curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \ -o /tmp/s6-overlay-amd64.tar.gz && \ tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \ diff --git a/build-docker-images/wazuh-manager/config/config.sh b/build-docker-images/wazuh-manager/config/config.sh new file mode 100644 index 00000000..5bfd2d4c --- /dev/null +++ b/build-docker-images/wazuh-manager/config/config.sh @@ -0,0 +1,28 @@ +############################################################################## +# Downloading Cert Gen Tool +############################################################################## +# Variables for certificate generation +CERT_TOOL="wazuh-certs-tool.sh" +CERT_CONFIG_FILE="config.yml" +CERT_DIR=/var/ossec/etc/certs/ +# Download the tool to create the certificates +echo "Downloading the tool to create the certificates..." +curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL +# Download the config file for the certificate tool +echo "Downloading the config file for the certificate tool..." +curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE + +# Modify the config file to set the IP to localhost +sed -i 's/ ip:.*/ ip: "127.0.0.1"/' $CERT_CONFIG_FILE + +chmod 700 "$CERT_CONFIG_FILE" +# Create the certificates +chmod 755 "$CERT_TOOL" && bash "$CERT_TOOL" -A + +# Copy Wazuh manager certs +cp -pr /wazuh-certificates/wazuh-1.pem ${CERT_DIR}/wazuh-1.pem +cp -pr /wazuh-certificates/wazuh-1-key.pem ${CERT_DIR}/wazuh-1-key.pem +cp -pr /wazuh-certificates/root-ca.key ${CERT_DIR}/root-ca.key +cp -pr /wazuh-certificates/root-ca.pem ${CERT_DIR}/root-ca.pem +cp -pr /wazuh-certificates/admin.pem ${CERT_DIR}/admin.pem +cp -pr /wazuh-certificates/admin-key.pem ${CERT_DIR}/admin-key.pem \ No newline at end of file From c9f379d02e287c7f5e3561df162ae2ffdf951087 Mon Sep 17 00:00:00 2001 From: Victor Carlos Erenu Date: Tue, 11 Nov 2025 21:44:08 +0700 Subject: [PATCH 5/6] Add download check --- .../wazuh-dashboard/config/config.sh | 15 +++++++++++++-- .../wazuh-indexer/config/config.sh | 15 +++++++++++++-- .../wazuh-manager/config/config.sh | 15 +++++++++++++-- 3 files changed, 39 insertions(+), 6 deletions(-) diff --git a/build-docker-images/wazuh-dashboard/config/config.sh b/build-docker-images/wazuh-dashboard/config/config.sh index 4b6a2fcd..2d1d0ee4 100644 --- a/build-docker-images/wazuh-dashboard/config/config.sh +++ b/build-docker-images/wazuh-dashboard/config/config.sh @@ -13,12 +13,23 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config # Variables for certificate generation CERT_TOOL="wazuh-certs-tool.sh" CERT_CONFIG_FILE="config.yml" +download_package() { + local url=$1 + local package=$2 + if curl -fsL "$url" -o "$package"; then + echo "Downloaded $package" + return 0 + else + echo "Error downloading $package from $url" + return 1 + fi +} # Download the tool to create the certificates echo "Downloading the tool to create the certificates..." -curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL +download_package "$wazuh_cert_tool" $CERT_TOOL # Download the config file for the certificate tool echo "Downloading the config file for the certificate tool..." -curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE +download_package "$wazuh_config_yml" $CERT_CONFIG_FILE # Modify the config file to set the IP to localhost sed -i 's/ ip:.*/ ip: "127.0.0.1"/' $CERT_CONFIG_FILE diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 7bcd68de..abcf257b 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -21,12 +21,23 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config # Variables for certificate generation CERT_TOOL="wazuh-certs-tool.sh" CERT_CONFIG_FILE="config.yml" +download_package() { + local url=$1 + local package=$2 + if curl -fsL "$url" -o "$package"; then + echo "Downloaded $package" + return 0 + else + echo "Error downloading $package from $url" + return 1 + fi +} # Download the tool to create the certificates echo "Downloading the tool to create the certificates..." -curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL +download_package "$wazuh_cert_tool" $CERT_TOOL # Download the config file for the certificate tool echo "Downloading the config file for the certificate tool..." -curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE +download_package "$wazuh_config_yml" $CERT_CONFIG_FILE # Modify the config file to set the IP to localhost sed -i 's/ ip:.*/ ip: "127.0.0.1"/' $CERT_CONFIG_FILE diff --git a/build-docker-images/wazuh-manager/config/config.sh b/build-docker-images/wazuh-manager/config/config.sh index 5bfd2d4c..d5359904 100644 --- a/build-docker-images/wazuh-manager/config/config.sh +++ b/build-docker-images/wazuh-manager/config/config.sh @@ -5,12 +5,23 @@ CERT_TOOL="wazuh-certs-tool.sh" CERT_CONFIG_FILE="config.yml" CERT_DIR=/var/ossec/etc/certs/ +download_package() { + local url=$1 + local package=$2 + if curl -fsL "$url" -o "$package"; then + echo "Downloaded $package" + return 0 + else + echo "Error downloading $package from $url" + return 1 + fi +} # Download the tool to create the certificates echo "Downloading the tool to create the certificates..." -curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL +download_package "$wazuh_cert_tool" $CERT_TOOL # Download the config file for the certificate tool echo "Downloading the config file for the certificate tool..." -curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE +download_package "$wazuh_config_yml" $CERT_CONFIG_FILE # Modify the config file to set the IP to localhost sed -i 's/ ip:.*/ ip: "127.0.0.1"/' $CERT_CONFIG_FILE From d60c2ebb3517f4ee0172ad4c8e5f22b351c942c8 Mon Sep 17 00:00:00 2001 From: Victor Carlos Erenu Date: Tue, 11 Nov 2025 21:47:44 +0700 Subject: [PATCH 6/6] dashboard entrypoint --- .../wazuh-dashboard/config/entrypoint.sh | 100 ------------------ 1 file changed, 100 deletions(-) diff --git a/build-docker-images/wazuh-dashboard/config/entrypoint.sh b/build-docker-images/wazuh-dashboard/config/entrypoint.sh index ea9974f1..b4de1fc7 100644 --- a/build-docker-images/wazuh-dashboard/config/entrypoint.sh +++ b/build-docker-images/wazuh-dashboard/config/entrypoint.sh @@ -25,107 +25,7 @@ echo $DASHBOARD_USERNAME | $OPENSEARCH_DASHBOARDS_HOME/bin/opensearch-dashboards echo $DASHBOARD_PASSWORD | $OPENSEARCH_DASHBOARDS_HOME/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root opensearch_dashboards_vars=( - console.enabled - console.proxyConfig - console.proxyFilter - ops.cGroupOverrides.cpuPath - ops.cGroupOverrides.cpuAcctPath - cpu.cgroup.path.override - cpuacct.cgroup.path.override - csp.rules - csp.strict - csp.warnLegacyBrowsers - data.search.usageTelemetry.enabled - opensearch.customHeaders opensearch.hosts - opensearch.logQueries - opensearch.memoryCircuitBreaker.enabled - opensearch.memoryCircuitBreaker.maxPercentage - opensearch.password - opensearch.pingTimeout - opensearch.requestHeadersWhitelist - opensearch.requestTimeout - opensearch.shardTimeout - opensearch.sniffInterval - opensearch.sniffOnConnectionFault - opensearch.sniffOnStart - opensearch.ssl.alwaysPresentCertificate - opensearch.ssl.certificate - opensearch.ssl.certificateAuthorities - opensearch.ssl.key - opensearch.ssl.keyPassphrase - opensearch.ssl.keystore.path - opensearch.ssl.keystore.password - opensearch.ssl.truststore.path - opensearch.ssl.truststore.password - opensearch.ssl.verificationMode - opensearch.username - i18n.locale - interpreter.enableInVisualize - opensearchDashboards.autocompleteTerminateAfter - opensearchDashboards.autocompleteTimeout - opensearchDashboards.defaultAppI - server.rewriteBasePath - server.socketTimeout - server.ssl.cert - server.ssl.certificate - server.ssl.certificateAuthorities - server.ssl.cipherSuites - server.ssl.clientAuthentication - server.customResponseHeaders - server.ssl.enabled - server.ssl.key - server.ssl.keyPassphrase - server.ssl.keystore.path - server.ssl.keystore.password - server.ssl.truststore.path - server.ssl.truststore.password - server.ssl.redirectHttpFromPort - server.ssl.supportedProtocols - server.xsrf.disableProtection - server.xsrf.whitelist - status.allowAnonymous - status.v6ApiFormat - tilemap.options.attribution - tilemap.options.maxZoom - tilemap.options.minZoom - tilemap.options.subdomains - tilemap.url - timeline.enabled - vega.enableExternalUrls - apm_oss.apmAgentConfigurationIndex - apm_oss.indexPattern - apm_oss.errorIndices - apm_oss.onboardingIndices - apm_oss.spanIndices - apm_oss.sourcemapIndices - apm_oss.transactionIndices - apm_oss.metricsIndices - telemetry.allowChangingOptInStatus - telemetry.enabled - telemetry.optIn - telemetry.optInStatusUrl - telemetry.sendUsageFrom - vis_builder.enabled - data_source.enabled - data_source.encryption.wrappingKeyName - data_source.encryption.wrappingKeyNamespace - data_source.encryption.wrappingKey - data_source.audit.enabled - data_source.audit.appender.kind - data_source.audit.appender.path - data_source.audit.appender.layout.kind - data_source.audit.appender.layout.highlight - data_source.audit.appender.layout.pattern - ml_commons_dashboards.enabled - observability.query_assist.enabled - usageCollection.uiMetric.enabled - workspace.enabled - assistant.chat.enabled - assistant.alertInsight.enabled - assistant.smartAnomalyDetector.enabled - assistant.text2viz.enabled - queryEnhancements.queryAssist.summary.enabled ) function runOpensearchDashboards {