wazuh/wazuh-kubernetes
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-kubernetes.git synced 2025-12-11 03:35:28 -06:00
Code Issues Packages Projects Releases 100 Wiki Activity

add wazuh-eks deployment

Browse Source
This commit is contained in:
vcerenu 2024-01-31 08:21:31 -03:00
parent 8427897848
commit 31dd36b94e
No known key found for this signature in database
GPG Key ID: 4D7B159107F1244A
30 changed files with 1871 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitignore vendored Normal file
View File

@ -0,0 +1,10 @@
wazuh/certs/dashboard_http/*.pem
wazuh/certs/dashboard_http/*.key
wazuh/certs/indexer_cluster/*.pem
wazuh/certs/indexer_cluster/*.key
wazuh/certs/indexer_cluster/*.csr
wazuh-eks/certs/dashboard_http/*.pem
wazuh-eks/certs/dashboard_http/*.key
wazuh-eks/certs/indexer_cluster/*.pem
wazuh-eks/certs/indexer_cluster/*.key
wazuh-eks/certs/indexer_cluster/*.csr

24
envs/eks-nlb/dashboard-resources.yaml Normal file
View File

@ -0,0 +1,24 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
apiVersion: apps/v1
kind: Deployment
metadata:
name: wazuh-dashboard
namespace: wazuh
spec:
template:
spec:
containers:
- name: wazuh-dashboard
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 400m
memory: 2Gi

35
envs/eks-nlb/indexer-resources.yaml Normal file
View File

@ -0,0 +1,35 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-indexer
namespace: wazuh
spec:
template:
spec:
containers:
- name: wazuh-indexer
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 1
memory: 2Gi
volumeClaimTemplates:
- metadata:
name: wazuh-indexer
namespace: indexer-cluster
spec:
accessModes:
- ReadWriteOnce
storageClassName: wazuh-storage
resources:
requests:
storage: 10Gi

17
envs/eks-nlb/kustomization.yml Normal file
View File

@ -0,0 +1,17 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../wazuh-eks
patches:
- path: storage-class.yaml
- path: indexer-resources.yaml
- path: dashboard-resources.yaml
- path: wazuh-master-resources.yaml
- path: wazuh-worker-resources.yaml

19
envs/eks-nlb/storage-class.yaml Normal file
View File

@ -0,0 +1,19 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh StorageClass
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: wazuh-storage
provisioner: kubernetes.io/aws-ebs
parameters:
encrypted: 'true'
type: gp2
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Retain # Useful in case you delete the PersistentVolumeClaim

35
envs/eks-nlb/wazuh-master-resources.yaml Normal file
View File

@ -0,0 +1,35 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-manager-master
namespace: wazuh
spec:
template:
spec:
containers:
- name: wazuh-manager
resources:
requests:
cpu: 1
memory: 1Gi
limits:
cpu: 2
memory: 2Gi
volumeClaimTemplates:
- metadata:
name: wazuh-manager-master
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: wazuh-storage
resources:
requests:
storage: 50Gi

35
envs/eks-nlb/wazuh-worker-resources.yaml Normal file
View File

@ -0,0 +1,35 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-manager-worker
namespace: wazuh
spec:
template:
spec:
containers:
- name: wazuh-manager
resources:
requests:
cpu: 1
memory: 1Gi
limits:
cpu: 2
memory: 2Gi
volumeClaimTemplates:
- metadata:
name: wazuh-manager-worker
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: wazuh-storage
resources:
requests:
storage: 50Gi

14
wazuh-eks/base/storage-class.yaml Normal file
View File

@ -0,0 +1,14 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh StorageClass
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: wazuh-storage
# provisioner: k8s.io/minikube-hostpath

13
wazuh-eks/base/wazuh-ns.yaml Normal file
View File

@ -0,0 +1,13 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh namespace
apiVersion: v1
kind: Namespace
metadata:
name: wazuh

6
wazuh-eks/certs/dashboard_http/generate_certs.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd $DIR
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

85
wazuh-eks/certs/indexer_cluster/generate_certs.sh Executable file
View File

@ -0,0 +1,85 @@
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd $DIR
echo "Root CA"
openssl genrsa -out root-ca-key.pem 2048
openssl req -days 3650 -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj "/C=US/L=California/O=Company/CN=root-ca"
echo "Admin cert"
echo "create: admin-key-temp.pem"
openssl genrsa -out admin-key-temp.pem 2048
echo "create: admin-key.pem"
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
echo "create: admin.csr"
openssl req -days 3650 -new -key admin-key.pem -out admin.csr -subj "/C=US/L=California/O=Company/CN=admin"
echo "create: admin.pem"
openssl x509 -req -days 3650 -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
echo "* Node cert"
echo "create: node-key-temp.pem"
openssl genrsa -out node-key-temp.pem 2048
echo "create: node-key.pem"
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
echo "create: node.csr"
openssl req -days 3650 -new -key node-key.pem -out node.csr -subj "/C=US/L=California/O=Company/CN=wazuh-internal-lb"
echo "create: node.pem"
openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
echo "* dashboard cert"
echo "create: dashboard-key-temp.pem"
openssl genrsa -out dashboard-key-temp.pem 2048
echo "create: dashboard-key.pem"
openssl pkcs8 -inform PEM -outform PEM -in dashboard-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out dashboard-key.pem
echo "create: dashboard.csr"
openssl req -days 3650 -new -key dashboard-key.pem -out dashboard.csr -subj "/C=US/L=California/O=Company/CN=wazuh-external-lb"
echo "create: dashboard.pem"
openssl x509 -req -days 3650 -in dashboard.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out dashboard.pem
echo "* Filebeat cert"
echo "create: filebeat-key-temp.pem"
openssl genrsa -out filebeat-key-temp.pem 2048
echo "create: filebeat-key.pem"
openssl pkcs8 -inform PEM -outform PEM -in filebeat-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out filebeat-key.pem
echo "create: filebeat.csr"
openssl req -days 3650 -new -key filebeat-key.pem -out filebeat.csr -subj "/C=US/L=California/O=Company/CN=wazuh-external-lb"
echo "create: filebeat.pem"
openssl x509 -req -days 3650 -in filebeat.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out filebeat.pem

100
wazuh-eks/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml Normal file
View File

@ -0,0 +1,100 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Dashboard Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: wazuh-dashboard
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-dashboard
template:
metadata:
labels:
app: wazuh-dashboard
name: wazuh-dashboard
spec:
volumes:
- name: config
configMap:
name: dashboard-conf
- name: dashboard-certs
secret:
secretName: dashboard-certs
containers:
- name: wazuh-dashboard
image: 'wazuh/wazuh-dashboard:4.9.0'
resources:
limits:
cpu: 500m
memory: 1Gi
volumeMounts:
- name: config
mountPath: /usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
subPath: opensearch_dashboards.yml
readOnly: false
- name: dashboard-certs
mountPath: /usr/share/wazuh-dashboard/certs/cert.pem
readOnly: true
subPath: cert.pem
- name: dashboard-certs
mountPath: /usr/share/wazuh-dashboard/certs/key.pem
readOnly: true
subPath: key.pem
- name: dashboard-certs
mountPath: /usr/share/wazuh-dashboard/certs/root-ca.pem
subPath: root-ca.pem
readOnly: true
ports:
- containerPort: 5601
name: dashboard
env:
- name: INDEXER_URL
value: 'https://wazuh-indexer-0.wazuh-indexer:9200'
- name: INDEXER_USERNAME
valueFrom:
secretKeyRef:
name: indexer-cred
key: username
- name: INDEXER_PASSWORD
valueFrom:
secretKeyRef:
name: indexer-cred
key: password
- name: DASHBOARD_USERNAME
valueFrom:
secretKeyRef:
name: dashboard-cred
key: username
- name: DASHBOARD_PASSWORD
valueFrom:
secretKeyRef:
name: dashboard-cred
key: password
- name: SERVER_SSL_ENABLED
value: "true"
- name: SERVER_SSL_CERTIFICATE
value: /usr/share/wazuh-dashboard/certs/cert.pem
- name: SERVER_SSL_KEY
value: /usr/share/wazuh-dashboard/certs/key.pem
- name: WAZUH_API_URL
value: https://wazuh-manager-master-0.wazuh-cluster
- name: API_USERNAME
valueFrom:
secretKeyRef:
name: wazuh-api-cred
key: username
- name: API_PASSWORD
valueFrom:
secretKeyRef:
name: wazuh-api-cred
key: password

13
wazuh-eks/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml Normal file
View File

@ -0,0 +1,13 @@
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh-internal-lb:9200
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/cert.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home

30
wazuh-eks/indexer_stack/wazuh-dashboard/lb-external.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: wazuh-external-lb
namespace: wazuh
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
service.beta.kubernetes.io/aws-load-balancer-name: wazuh-external-lb
spec:
type: LoadBalancer
ports:
- name: manager-worker-agents-events
port: 1514
targetPort: agents-events
- name: manager-cluster
port: 1516
targetPort: cluster-port
- name: manager-master-registration
port: 1515
targetPort: registration
- name: manager-master-api
port: 55000
targetPort: api-port
- name: dashboard
port: 443
targetPort: dashboard-port
selector:
lbtype: external

22
wazuh-eks/indexer_stack/wazuh-dashboard/lb-internal.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: wazuh-internal-lb
namespace: wazuh
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: internal
service.beta.kubernetes.io/aws-load-balancer-scheme: internal
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
service.beta.kubernetes.io/aws-load-balancer-name: wazuh-internal-lb
spec:
type: LoadBalancer
ports:
- name: indexer-rest
port: 9200
targetPort: indexer-rest
- name: indexer-nodes
port: 9300
targetPort: indexer-nodes
selector:
lbtype: internal
app: wazuh-indexer

140
wazuh-eks/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml Normal file
View File

@ -0,0 +1,140 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Indexer StatefulSet: 3 master nodes.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-indexer
namespace: wazuh
spec:
replicas: 3
selector:
matchLabels:
app: wazuh-indexer
serviceName: wazuh-indexer
template:
metadata:
labels:
app: wazuh-indexer
name: wazuh-indexer
spec:
# Set the wazuh-indexer volume permissions so the wazuh-indexer user can use it
volumes:
- name: indexer-certs
secret:
secretName: indexer-certs
- name: indexer-conf
configMap:
name: indexer-conf
initContainers:
- name: volume-mount-hack
image: busybox
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 100m
memory: 256Mi
command:
- sh
- '-c'
- 'chown -R 1000:1000 /var/lib/wazuh-indexer'
volumeMounts:
- name: wazuh-indexer
mountPath: /var/lib/wazuh-indexer
- name: increase-the-vm-max-map-count
image: busybox
command:
- sysctl
- -w
- vm.max_map_count=262144
securityContext:
privileged: true
containers:
- name: wazuh-indexer
image: 'wazuh/wazuh-indexer:4.9.0'
resources:
limits:
cpu: 500m
memory: 1564Mi
env:
- name: OPENSEARCH_JAVA_OPTS
value: '-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true'
- name: CLUSTER_NAME
value: wazuh
- name: NETWORK_HOST
value: "0.0.0.0"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: DISCOVERY_SERVICE
value: wazuh-indexer
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: DISABLE_INSTALL_DEMO_CONFIG
value: 'true'
- name: INDEXER_PASSWORD
valueFrom:
secretKeyRef:
name: indexer-cred
key: password
securityContext:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- name: wazuh-indexer
mountPath: /var/lib/wazuh-indexer
- name: indexer-certs
mountPath: /usr/share/wazuh-indexer/certs/node-key.pem
subPath: node-key.pem
readOnly: true
- name: indexer-certs
mountPath: /usr/share/wazuh-indexer/certs/node.pem
subPath: node.pem
readOnly: true
- name: indexer-certs
mountPath: /usr/share/wazuh-indexer/certs/root-ca.pem
subPath: root-ca.pem
readOnly: true
- name: indexer-certs
mountPath: /usr/share/wazuh-indexer/certs/admin.pem
subPath: admin.pem
readOnly: true
- name: indexer-certs
mountPath: /usr/share/wazuh-indexer/certs/admin-key.pem
subPath: admin-key.pem
readOnly: true
- name: indexer-conf
mountPath: /usr/share/wazuh-indexer/opensearch.yml
subPath: opensearch.yml
readOnly: true
- name: indexer-conf
mountPath: /usr/share/wazuh-indexer/opensearch-security/internal_users.yml
subPath: internal_users.yml
readOnly: true
ports:
- containerPort: 9200
name: indexer-rest
- containerPort: 9300
name: indexer-nodes
volumeClaimTemplates:
- metadata:
name: wazuh-indexer
namespace: indexer-cluster
spec:
accessModes:
- ReadWriteOnce
storageClassName: wazuh-storage
resources:
requests:
storage: 500Mi

24
wazuh-eks/indexer_stack/wazuh-indexer/indexer-svc.yaml Normal file
View File

@ -0,0 +1,24 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Indexer service: Communications
apiVersion: v1
kind: Service
metadata:
name: wazuh-indexer
namespace: wazuh
labels:
app: wazuh-indexer
spec:
selector:
app: wazuh-indexer
ports:
- name: indexer-nodes
port: 9300
targetPort: 9300
clusterIP: None

56
wazuh-eks/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml Normal file
View File

@ -0,0 +1,56 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

31
wazuh-eks/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml Normal file
View File

@ -0,0 +1,31 @@
cluster.name: ${CLUSTER_NAME}
node.name: ${NODE_NAME}
network.host: ${NETWORK_HOST}
discovery.seed_hosts: wazuh-indexer-0.wazuh-indexer
cluster.initial_master_nodes:
- wazuh-indexer-0
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/node.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/node.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- CN=admin,O=Company,L=California,C=US
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- CN=wazuh-internal-lb,O=Company,L=California,C=US
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
compatibility.override_main_response_version: true

64
wazuh-eks/kustomization.yml Normal file
View File

@ -0,0 +1,64 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Adds wazuh namespace to all resources.
namespace: wazuh
secretGenerator:
- name: indexer-certs
files:
- certs/indexer_cluster/root-ca.pem
- certs/indexer_cluster/node.pem
- certs/indexer_cluster/node-key.pem
- certs/indexer_cluster/dashboard.pem
- certs/indexer_cluster/dashboard-key.pem
- certs/indexer_cluster/admin.pem
- certs/indexer_cluster/admin-key.pem
- certs/indexer_cluster/filebeat.pem
- certs/indexer_cluster/filebeat-key.pem
- name: dashboard-certs
files:
- certs/dashboard_http/cert.pem
- certs/dashboard_http/key.pem
- certs/indexer_cluster/root-ca.pem
configMapGenerator:
- name: indexer-conf
files:
- indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
- indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml
- name: wazuh-conf
files:
- wazuh_managers/wazuh_conf/master.conf
- wazuh_managers/wazuh_conf/worker.conf
- name: dashboard-conf
files:
- indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml
resources:
- base/wazuh-ns.yaml
- base/storage-class.yaml
- secrets/wazuh-api-cred-secret.yaml
- secrets/wazuh-authd-pass-secret.yaml
- secrets/wazuh-cluster-key-secret.yaml
- secrets/dashboard-cred-secret.yaml
- secrets/indexer-cred-secret.yaml
- wazuh_managers/wazuh-master-sts.yaml
- wazuh_managers/wazuh-worker-sts.yaml
- wazuh_managers/wazuh-cluster-svc.yaml
- indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml
- indexer_stack/wazuh-indexer/indexer-svc.yaml
- indexer_stack/wazuh-dashboard/lb-external.yaml
- indexer_stack/wazuh-dashboard/lb-internal.yaml
- indexer_stack/wazuh-dashboard/dashboard-deploy.yaml

16
wazuh-eks/secrets/dashboard-cred-secret.yaml Normal file
View File

@ -0,0 +1,16 @@
# Copyright (C) 2022 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh dashboard API credentials secret
apiVersion: v1
kind: Secret
metadata:
name: dashboard-cred
data:
username: a2liYW5hc2VydmVy # string "kibanaserver" base64 encoded
password: a2liYW5hc2VydmVy # string "kibanaserver" base64 encoded

16
wazuh-eks/secrets/indexer-cred-secret.yaml Normal file
View File

@ -0,0 +1,16 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh API credentials secret
apiVersion: v1
kind: Secret
metadata:
name: indexer-cred
data:
username: YWRtaW4= # string "admin" base64 encoded
password: U2VjcmV0UGFzc3dvcmQ= # string "SecretPassword" base64 encoded

17
wazuh-eks/secrets/wazuh-api-cred-secret.yaml Normal file
View File

@ -0,0 +1,17 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh API credentials secret
apiVersion: v1
kind: Secret
metadata:
name: wazuh-api-cred
namespace: wazuh
data:
username: d2F6dWgtd3Vp # string "wazuh-wui" base64 encoded
password: TXlTM2NyMzdQNDUwci4qLQ== # string "MyS3cr37P450r.*-" base64 encoded

16
wazuh-eks/secrets/wazuh-authd-pass-secret.yaml Normal file
View File

@ -0,0 +1,16 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh authd password secret
apiVersion: v1
kind: Secret
metadata:
name: wazuh-authd-pass
namespace: wazuh
data:
authd.pass: cGFzc3dvcmQ= # string "password" base64 encoded

16
wazuh-eks/secrets/wazuh-cluster-key-secret.yaml Normal file
View File

@ -0,0 +1,16 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh cluster key secret
apiVersion: v1
kind: Secret
metadata:
name: wazuh-cluster-key
namespace: wazuh
data:
key: MTIzYTQ1YmM2N2RlZjg5MWdoMjNpNDVqazY3bDhtbjk= # string "123a45bc67def891gh23i45jk67l8mn9" base64 encoded

24
wazuh-eks/wazuh_managers/wazuh-cluster-svc.yaml Normal file
View File

@ -0,0 +1,24 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh cluster Service: Manager nodes communication
apiVersion: v1
kind: Service
metadata:
name: wazuh-cluster
namespace: wazuh
labels:
app: wazuh-manager
spec:
selector:
app: wazuh-manager
ports:
- name: cluster
port: 1516
targetPort: 1516
clusterIP: None

159
wazuh-eks/wazuh_managers/wazuh-master-sts.yaml Normal file
View File

@ -0,0 +1,159 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh master StatefulSet
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-manager-master
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-manager
node-type: master
serviceName: wazuh-cluster
podManagementPolicy: Parallel
template:
metadata:
labels:
app: wazuh-manager
node-type: master
name: wazuh-manager-master
spec:
volumes:
- name: config
configMap:
name: wazuh-conf
- name: filebeat-certs
secret:
secretName: indexer-certs
- name: wazuh-authd-pass
secret:
secretName: wazuh-authd-pass
securityContext:
fsGroup: 101
containers:
- name: wazuh-manager
image: 'wazuh/wazuh-manager:4.9.0'
resources:
limits:
cpu: 400m
memory: 512Mi
securityContext:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- name: config
mountPath: /wazuh-config-mount/etc/ossec.conf
subPath: master.conf
readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/root-ca.pem
readOnly: true
subPath: root-ca.pem
- name: filebeat-certs
mountPath: /etc/ssl/filebeat.pem
subPath: filebeat.pem
readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/filebeat.key
subPath: filebeat-key.pem
readOnly: true
- name: wazuh-authd-pass
mountPath: /wazuh-config-mount/etc/authd.pass
subPath: authd.pass
readOnly: true
- name: wazuh-manager-master
mountPath: /var/ossec/api/configuration
subPath: wazuh/var/ossec/api/configuration
- name: wazuh-manager-master
mountPath: /var/ossec/etc
subPath: wazuh/var/ossec/etc
- name: wazuh-manager-master
mountPath: /var/ossec/logs
subPath: wazuh/var/ossec/logs
- name: wazuh-manager-master
mountPath: /var/ossec/queue
subPath: wazuh/var/ossec/queue
- name: wazuh-manager-master
mountPath: /var/ossec/var/multigroups
subPath: wazuh/var/ossec/var/multigroups
- name: wazuh-manager-master
mountPath: /var/ossec/integrations
subPath: wazuh/var/ossec/integrations
- name: wazuh-manager-master
mountPath: /var/ossec/active-response/bin
subPath: wazuh/var/ossec/active-response/bin
- name: wazuh-manager-master
mountPath: /var/ossec/agentless
subPath: wazuh/var/ossec/agentless
- name: wazuh-manager-master
mountPath: /var/ossec/wodles
subPath: wazuh/var/ossec/wodles
- name: wazuh-manager-master
mountPath: /etc/filebeat
subPath: filebeat/etc/filebeat
- name: wazuh-manager-master
mountPath: /var/lib/filebeat
subPath: filebeat/var/lib/filebeat
ports:
- containerPort: 1515
name: registration
- containerPort: 1516
name: cluster
- containerPort: 55000
name: api
env:
- name: INDEXER_URL
value: 'https://wazuh-indexer-0.wazuh-indexer:9200'
- name: INDEXER_USERNAME
valueFrom:
secretKeyRef:
name: indexer-cred
key: username
- name: INDEXER_PASSWORD
valueFrom:
secretKeyRef:
name: indexer-cred
key: password
- name: FILEBEAT_SSL_VERIFICATION_MODE
value: 'full'
- name: SSL_CERTIFICATE_AUTHORITIES
value: /etc/ssl/root-ca.pem
- name: SSL_CERTIFICATE
value: /etc/ssl/filebeat.pem
- name: SSL_KEY
value: /etc/ssl/filebeat.key
- name: API_USERNAME
valueFrom:
secretKeyRef:
name: wazuh-api-cred
key: username
- name: API_PASSWORD
valueFrom:
secretKeyRef:
name: wazuh-api-cred
key: password
- name: WAZUH_CLUSTER_KEY
valueFrom:
secretKeyRef:
name: wazuh-cluster-key
key: key
volumeClaimTemplates:
- metadata:
name: wazuh-manager-master
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: wazuh-storage
resources:
requests:
storage: 500Mi

146
wazuh-eks/wazuh_managers/wazuh-worker-sts.yaml Normal file
View File

@ -0,0 +1,146 @@
# Copyright (C) 2019, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh workers StatefulSet
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-manager-worker
namespace: wazuh
spec:
replicas: 2
selector:
matchLabels:
app: wazuh-manager
node-type: worker
serviceName: wazuh-cluster
podManagementPolicy: Parallel
template:
metadata:
labels:
app: wazuh-manager
node-type: worker
name: wazuh-manager-worker
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: kubernetes.io/hostname
volumes:
- name: config
configMap:
name: wazuh-conf
- name: filebeat-certs
secret:
secretName: indexer-certs
securityContext:
fsGroup: 101
containers:
- name: wazuh-manager
image: 'wazuh/wazuh-manager:4.9.0'
resources:
limits:
cpu: 400m
memory: 512Mi
securityContext:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- name: config
mountPath: /wazuh-config-mount/etc/ossec.conf
subPath: worker.conf
readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/root-ca.pem
readOnly: true
subPath: root-ca.pem
- name: filebeat-certs
mountPath: /etc/ssl/filebeat.pem
subPath: filebeat.pem
readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/filebeat.key
subPath: filebeat-key.pem
readOnly: true
- name: wazuh-manager-worker
mountPath: /var/ossec/api/configuration
subPath: wazuh/var/ossec/api/configuration
- name: wazuh-manager-worker
mountPath: /var/ossec/etc
subPath: wazuh/var/ossec/etc
- name: wazuh-manager-worker
mountPath: /var/ossec/logs
subPath: wazuh/var/ossec/logs
- name: wazuh-manager-worker
mountPath: /var/ossec/queue
subPath: wazuh/var/ossec/queue
- name: wazuh-manager-worker
mountPath: /var/ossec/var/multigroups
subPath: wazuh/var/ossec/var/multigroups
- name: wazuh-manager-worker
mountPath: /var/ossec/integrations
subPath: wazuh/var/ossec/integrations
- name: wazuh-manager-worker
mountPath: /var/ossec/active-response/bin
subPath: wazuh/var/ossec/active-response/bin
- name: wazuh-manager-worker
mountPath: /var/ossec/agentless
subPath: wazuh/var/ossec/agentless
- name: wazuh-manager-worker
mountPath: /var/ossec/wodles
subPath: wazuh/var/ossec/wodles
- name: wazuh-manager-worker
mountPath: /etc/filebeat
subPath: filebeat/etc/filebeat
- name: wazuh-manager-worker
mountPath: /var/lib/filebeat
subPath: filebeat/var/lib/filebeat
ports:
- containerPort: 1514
name: agents-events
- containerPort: 1516
name: cluster
env:
- name: INDEXER_URL
value: 'https://wazuh-indexer-0.wazuh-indexer:9200'
- name: INDEXER_USERNAME
valueFrom:
secretKeyRef:
name: indexer-cred
key: username
- name: INDEXER_PASSWORD
valueFrom:
secretKeyRef:
name: indexer-cred
key: password
- name: FILEBEAT_SSL_VERIFICATION_MODE
value: 'full'
- name: SSL_CERTIFICATE_AUTHORITIES
value: /etc/ssl/root-ca.pem
- name: SSL_CERTIFICATE
value: /etc/ssl/filebeat.pem
- name: SSL_KEY
value: /etc/ssl/filebeat.key
- name: WAZUH_CLUSTER_KEY
valueFrom:
secretKeyRef:
name: wazuh-cluster-key
key: key
volumeClaimTemplates:
- metadata:
name: wazuh-manager-worker
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: wazuh-storage
resources:
requests:
storage: 500Mi

344
wazuh-eks/wazuh_managers/wazuh_conf/master.conf Normal file
View File

@ -0,0 +1,344 @@
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, master node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<queue_size>131072</queue_size>
<agents_disconnection_time>20s</agents_disconnection_time>
<agents_disconnection_alert_time>100s</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://wazuh-indexer-0.wazuh-indexer:9200</host>
</hosts>
<username>admin</username>
<password>VDPass</password>
<ssl>
<certificate_authorities>
<ca>/etc/ssl/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/ssl/filebeat.pem</certificate>
<key>/etc/ssl/filebeat.key</key>
</ssl>
</indexer>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for ossec-authd
To enable this service, run:
wazuh-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force>
<enabled>yes</enabled>
<key_mismatch>yes</key_mismatch>
<disconnected_time enabled="yes">1h</disconnected_time>
<after_registration_time>1h</after_registration_time>
</force>
<purge>no</purge>
<use_password>yes</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>wazuh-manager-master</node_name>
<node_type>master</node_type>
<key>to_be_replaced_by_cluster_key</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

344
wazuh-eks/wazuh_managers/wazuh_conf/worker.conf Normal file
View File

@ -0,0 +1,344 @@
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, worker node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<queue_size>131072</queue_size>
<agents_disconnection_time>20s</agents_disconnection_time>
<agents_disconnection_alert_time>100s</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://wazuh-indexer-0.wazuh-indexer:9200</host>
</hosts>
<username>admin</username>
<password>VDPass</password>
<ssl>
<certificate_authorities>
<ca>/etc/ssl/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/ssl/filebeat.pem</certificate>
<key>/etc/ssl/filebeat.key</key>
</ssl>
</indexer>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for ossec-authd
To enable this service, run:
wazuh-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force>
<enabled>yes</enabled>
<key_mismatch>yes</key_mismatch>
<disconnected_time enabled="yes">1h</disconnected_time>
<after_registration_time>1h</after_registration_time>
</force>
<purge>no</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>to_be_replaced_by_hostname</node_name>
<node_type>worker</node_type>
<key>to_be_replaced_by_cluster_key</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>