wazuh/wazuh-kubernetes
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-kubernetes.git synced 2025-12-11 20:47:53 -06:00
Code Issues Packages Projects Releases 100 Wiki Activity

Merge pull request #118 from wazuh/release-4.0.0_1.10.1

Browse Source 
Release 4.0.0 1.10.1
This commit is contained in:
Manuel J. Bernal 2020-11-17 21:33:05 +01:00 committed by GitHub
commit 53ef35ee00
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 1116 additions and 1407 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@ -2,6 +2,15 @@
All notable changes to this project will be documented in this file.
## [4.0.0]
### Added
- Update to Wazuh version 4.0.0_1.10.1
- Support Opendistro for Elasticsearch v1.10.1
- Use a single wazuh-manager-worker StatefulSet ([@rjmoseley](https://github.com/rjmoseley) [#106](https://github.com/wazuh/wazuh-kubernetes/pull/106))
- Using Kubernetes secrets to store credentials ([@1stOfHisGame](https://github.com/1stOfHisGame) [#108](https://github.com/wazuh/wazuh-kubernetes/pull/108))
## [v3.13.2]
### Added

2
base/aws-gp2-storage-class.yaml
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public

2
base/wazuh-ns.yaml
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public

1
certs/kibana_http/.empty Normal file
View File

@ -0,0 +1 @@

1
certs/odfe_cluster/.empty Normal file
View File

@ -0,0 +1 @@

277
cleanup.md
View File

@ -1,224 +1,19 @@
# Clean up
# Clean up
Steps to perform a clean up of our deployments, services and volumes used in our environment.
Steps to perform a clean up of our deployments, services and volumes used in our environment.
## Wazuh managers
The deployment of the Wazuh cluster of managers involves the use of various statefulSet elements as well as configuration maps and services.
### 1. The first step is to remove the pods corresponding to the managers.
List the pods created.
```
ubuntu@k8s-control-server:~$ kubectl get pods --namespace wazuh
NAME READY STATUS RESTARTS AGE
wazuh-elasticsearch-0 1/1 Running 0 6d
wazuh-kibana-78cb4bbb7-xf4s8 1/1 Running 0 6d
wazuh-manager-master-0 1/1 Running 0 6d
wazuh-manager-worker-0 1/1 Running 0 6d
wazuh-manager-worker-1 1/1 Running 0 6d
wazuh-nginx-57c8c65486-7crh2 1/1 Running 0 6d
```
Proceed to remove the pods from Wazuh managers.
```
ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-manager-master-0 --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-manager-worker-0 --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-manager-worker-1 --namespace wazuh
```
The deployment of the Wazuh cluster of managers involves the use of various statefulSet elements as well as configuration maps and services.
### 2. Next remove the services related to the Wazuh cluster.
To delete your Wazuh cluster just use: `kubectl delete -k .` from this repository directory.
List the services created.
```
ubuntu@k8s-control-server:~$ kubectl get services --namespace wazuh
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch ClusterIP 172.20.247.17 <none> 9200/TCP 6d
kibana ClusterIP 172.20.121.19 <none> 5601/TCP 6d
wazuh LoadBalancer 172.20.240.162 internal-ae32... 1515:30732/TCP,55000:30839/TCP 6d
wazuh-cluster ClusterIP None <none> 1516/TCP 6d
wazuh-elasticsearch ClusterIP None <none> 9300/TCP 6d
wazuh-nginx LoadBalancer 172.20.166.239 internal-ac0c... 80:30409/TCP,443:32575/TCP 6d
wazuh-workers LoadBalancer 172.20.17.252 internal-aec3... 1514:32047/TCP 6d
```
### Delete the persistent volumes manually.
Delete the corresponding services.
Since we use `reclaimPolicy: Retain` in the storage class definition you must delete volumes manually if you want to clean these as well.
```
ubuntu@k8s-control-server:~$ kubectl delete service wazuh-cluster --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete service wazuh-workers --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete service wazuh --namespace wazuh
```
### 3. In this step delete the StatefulSet.
```
ubuntu@k8s-control-server:~$ kubectl get StatefulSet --namespace wazuh
NAME DESIRED CURRENT AGE
wazuh-elasticsearch 1 1 6d
wazuh-manager-master 1 1 6d
wazuh-manager-worker 1 1 6d
```
Remove the three StatefulSets from the Wazuh cluster managers.
```
ubuntu@k8s-control-server:~$ kubectl delete StatefulSet wazuh-manager-master --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete StatefulSet wazuh-manager-worker --namespace wazuh
```
### 4. Take care of deleting the configuration maps.
```
ubuntu@k8s-control-server:~$ kubectl get ConfigMap --namespace wazuh
NAME DATA AGE
wazuh-manager-master-conf 1 6d
wazuh-manager-worker-conf 1 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete ConfigMap wazuh-manager-master-conf --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete ConfigMap wazuh-manager-worker-conf --namespace wazuh
```
### 5. Now eliminate the persistent volume claims.
```
ubuntu@k8s-control-server:~$ kubectl get persistentvolumeclaim --namespace wazuh
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
wazuh-elasticsearch-wazuh-elasticsearch-0 Bound pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac 30Gi RWO gp2-encrypted-retained 6d
wazuh-manager-master-wazuh-manager-master-0 Bound pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO gp2-encrypted-retained 6d
wazuh-manager-worker-wazuh-manager-worker-0 Bound pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO gp2-encrypted-retained 6d
wazuh-manager-worker-wazuh-manager-worker-1 Bound pvc-024466da-f7c5-11e8-b9b8-022ada63b4ac 10Gi RWO gp2-encrypted-retained 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete persistentvolumeclaim wazuh-manager-master-wazuh-manager-master-0 --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete persistentvolumeclaim wazuh-manager-master-wazuh-manager-worker-0 --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete persistentvolumeclaim wazuh-manager-master-wazuh-manager-worker-1 --namespace wazuh
```
### 6. Finally eliminate the persistent volumes.
```
ubuntu@k8s-control-server:~$ kubectl get persistentvolume
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-024466da-f7c5-11e8-b9b8-022ada63b4ac 10Gi RWO Retain Bound wazuh/wazuh-manager-worker-wazuh-manager-worker-1 gp2-encrypted-retained 6d
pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac 30Gi RWO Retain Bound wazuh/wazuh-elasticsearch-wazuh-elasticsearch-0 gp2-encrypted-retained 6d
pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO Retain Bound wazuh/wazuh-manager-master-wazuh-manager-master-0 gp2-encrypted-retained 6d
pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO Retain Bound wazuh/wazuh-manager-worker-wazuh-manager-worker-0 gp2-encrypted-retained 6d
```
Master.
```
ubuntu@k8s-control-server:~$ kubectl delete persistentvolume pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac
```
Worker 0.
```
ubuntu@k8s-control-server:~$ kubectl delete persistentvolume pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac
```
Worker 1.
```
ubuntu@k8s-control-server:~$ kubectl delete persistentvolume pvc-024466da-f7c5-11e8-b9b8-022ada63b4ac
```
#### Do not forget to delete the volumes manually in AWS.
## Elasticsearch
The process for cleaning the Elasticsearch installation environment is similar to that of the Wazuh cluster. In order to do this remove the Elasticsearch deployment as well as its associated services and volumes.
### 1. The first step is to remove the pods corresponding to Elasticsearch.
```
ubuntu@k8s-control-server:~$ kubectl get pods --namespace wazuh
NAME READY STATUS RESTARTS AGE
wazuh-elasticsearch-0 1/1 Running 0 6d
wazuh-kibana-78cb4bbb7-xf4s8 1/1 Running 0 6d
wazuh-nginx-57c8c65486-7crh2 1/1 Running 0 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-elasticsearch-0 --namespace wazuh
```
### 2. Next remove the services related to Elasticsearch.
```
ubuntu@k8s-control-server:~$ kubectl get services --namespace wazuh
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch ClusterIP 172.20.247.17 <none> 9200/TCP 6d
kibana ClusterIP 172.20.121.19 <none> 5601/TCP 6d
wazuh-elasticsearch ClusterIP None <none> 9300/TCP 6d
wazuh-nginx LoadBalancer 172.20.166.239 internal-ac0c... 80:30409/TCP,443:32575/TCP 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete service elasticsearch --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete service wazuh-elasticsearch --namespace wazuh
```
### 3. In this step delete the StatefulSet.
```
ubuntu@k8s-control-server:~$ kubectl get StatefulSet --namespace wazuh
NAME DESIRED CURRENT AGE
wazuh-elasticsearch 1 1 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete StatefulSet wazuh-elasticsearch --namespace wazuh
```
### 4. Now eliminate the persistent volume claims.
```
ubuntu@k8s-control-server:~$ kubectl get persistentvolumeclaim --namespace wazuh
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
wazuh-elasticsearch-wazuh-elasticsearch-0 Bound pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac 30Gi RWO gp2-encrypted-retained 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete persistentvolumeclaim wazuh-elasticsearch-wazuh-elasticsearch-0 --namespace wazuh
```
### 5. Finally delete the persistent volumes.
```
ubuntu@k8s-control-server:~$ kubectl get persistentvolume
@ -229,68 +24,8 @@ pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO Retain
pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO Retain Released wazuh/wazuh-manager-worker-wazuh-manager-worker-0 gp2-encrypted-retained 6d
```
Master.
```
ubuntu@k8s-control-server:~$ kubectl delete persistentvolume pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac
```
#### Do not forget to delete the volumes manually in AWS.
## Kibana and Nginx
To clean the Kibana and Nginx installation remove their deployments and services.
### 1. The first step is to remove the pods corresponding to Kibana and Nginx.
```
ubuntu@k8s-control-server:~$ kubectl get pods --namespace wazuh
NAME READY STATUS RESTARTS AGE
wazuh-kibana-78cb4bbb7-xf4s8 1/1 Running 0 6d
wazuh-nginx-57c8c65486-7crh2 1/1 Running 0 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-kibana-78cb4bbb7-xf4s8 --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-nginx-57c8c65486-7crh2 --namespace wazuh
```
### 2. Next remove the services related to Kibana and Nginx.
```
ubuntu@k8s-control-server:~$ kubectl get services --namespace wazuh
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kibana ClusterIP 172.20.121.19 <none> 5601/TCP 6d
wazuh-nginx LoadBalancer 172.20.166.239 internal-ac0c... 80:30409/TCP,443:32575/TCP 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete service kibana --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete service wazuh-nginx --namespace wazuh
```
### 3. Finally delete the deployments.
```
ubuntu@k8s-control-server:~$ kubectl get deploy --namespace wazuh
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
wazuh-kibana 1 1 1 1 6d
wazuh-nginx 1 1 1 1 6d
```
```
ubuntu@k8s-control-server:~$ kubectl delete deploy wazuh-kibana --namespace wazuh
```
```
ubuntu@k8s-control-server:~$ kubectl delete deploy wazuh-nginx --namespace wazuh
```
Once these steps are completed, our Kubernetes environment will be clean of deployments relating to the Wazuh cluster and related Elastic Stack components.

2
elastic_stack/elasticsearch/cluster/elasticsearch-api-svc.yaml
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public

105
elastic_stack/elasticsearch/cluster/elasticsearch-data-sts.yaml
View File

@ -1,105 +0,0 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Elasticsearch StatefulSet: 3 data nodes.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: data-elasticsearch
namespace: wazuh
spec:
replicas: 3
selector:
matchLabels:
app: wazuh-elasticsearch
serviceName: wazuh-elasticsearch
template:
metadata:
labels:
app: wazuh-elasticsearch
name: wazuh-elasticsearch
spec:
# Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it!
initContainers:
- name: volume-mount-hack
image: busybox
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 100m
memory: 256Mi
command:
- sh
- '-c'
- 'chown -R 1000:1000 /usr/share/elasticsearch/data'
volumeMounts:
- name: wazuh-elasticsearch
mountPath: /usr/share/elasticsearch/data
- name: increase-the-vm-max-map-count
image: busybox
command:
- sysctl
- -w
- vm.max_map_count=262144
securityContext:
privileged: true
containers:
- name: wazuh-elasticsearch
image: 'wazuh/wazuh-elasticsearch:3.13.2_7.9.1'
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 1
memory: 2Gi
env:
- name: ES_JAVA_OPTS
value: '-Xms1024m -Xmx1024m'
- name: node.master
value: "false"
- name: node.data
value: "true"
- name: node.ingest
value: "false"
- name: bootstrap.memory_lock
value: "false"
- name: cluster.name
value: wazuh
- name: network.host
value: 0.0.0.0
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: discovery.zen.ping.unicast.hosts
value: "wazuh-elasticsearch"
volumeMounts:
- name: wazuh-elasticsearch
mountPath: /usr/share/elasticsearch/data
securityContext:
capabilities:
add: ["SYS_CHROOT"]
ports:
- containerPort: 9200
name: es-rest
- containerPort: 9300
name: es-nodes
volumeClaimTemplates:
- metadata:
name: wazuh-elasticsearch
namespace: es-cluster
spec:
accessModes:
- ReadWriteOnce
storageClassName: gp2-encrypted-retained
resources:
requests:
storage: 10Gi

75
elastic_stack/elasticsearch/cluster/elasticsearch-master-sts.yaml → elastic_stack/elasticsearch/cluster/elasticsearch-sts.yaml
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
@ -24,7 +24,14 @@ spec:
app: wazuh-elasticsearch
name: wazuh-elasticsearch
spec:
# Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it!
# Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it
volumes:
- name: odfe-ssl-certs
secret:
secretName: odfe-ssl-certs
- name: elastic-odfe-conf
configMap:
name: elastic-odfe-conf
initContainers:
- name: volume-mount-hack
image: busybox
@ -52,7 +59,7 @@ spec:
privileged: true
containers:
- name: wazuh-elasticsearch
image: 'wazuh/wazuh-elasticsearch:3.13.2_7.9.1'
image: 'amazon/opendistro-for-elasticsearch:1.10.1'
resources:
requests:
cpu: 500m
@ -62,33 +69,55 @@ spec:
memory: 2Gi
env:
- name: ES_JAVA_OPTS
value: '-Xms512m -Xmx512m'
- name: node.master
value: 'true'
- name: node.data
value: 'false'
- name: node.ingest
value: 'false'
- name: bootstrap.memory_lock
value: 'false'
- name: cluster.name
value: '-Xms1g -Xmx1g'
- name: CLUSTER_NAME
value: wazuh
- name: network.host
value: 0.0.0.0
- name: node.name
- name: NETWORK_HOST
value: "0.0.0.0"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: discovery.zen.ping.unicast.hosts
value: "wazuh-elasticsearch"
- name: discovery.zen.minimum_master_nodes
value: "2"
volumeMounts:
- name: wazuh-elasticsearch
mountPath: /usr/share/elasticsearch/data
- name: DISCOVERY_SERVICE
value: wazuh-elasticsearch
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- name: wazuh-elasticsearch
mountPath: /usr/share/elasticsearch/data
- name: odfe-ssl-certs
mountPath: /usr/share/elasticsearch/config/node-key.pem
subPath: node-key.pem
readOnly: true
- name: odfe-ssl-certs
mountPath: /usr/share/elasticsearch/config/node.pem
subPath: node.pem
readOnly: true
- name: odfe-ssl-certs
mountPath: /usr/share/elasticsearch/config/root-ca.pem
subPath: root-ca.pem
readOnly: true
- name: odfe-ssl-certs
mountPath: /usr/share/elasticsearch/config/admin.pem
subPath: admin.pem
readOnly: true
- name: odfe-ssl-certs
mountPath: /usr/share/elasticsearch/config/admin-key.pem
subPath: admin-key.pem
readOnly: true
- name: elastic-odfe-conf
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
readOnly: true
- name: elastic-odfe-conf
mountPath: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
subPath: internal_users.yml
readOnly: true
ports:
- containerPort: 9200
name: es-rest

28
elastic_stack/elasticsearch/elastic_conf/elasticsearch.yml Normal file
View File

@ -0,0 +1,28 @@
cluster.name: ${CLUSTER_NAME}
node.name: ${NODE_NAME}
network.host: ${NETWORK_HOST}
discovery.seed_hosts: wazuh-elasticsearch-0.wazuh-elasticsearch
cluster.initial_master_nodes:
- wazuh-elasticsearch-0
opendistro_security.ssl.transport.enabled: true
opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.audit.config.index: "'security-auditlog-'YYYY.MM"
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- CN=admin,O=Company,L=California,C=US
opendistro_security.nodes_dn:
- CN=*.elasticsearch,O=Company,L=California,C=US
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "service_full_access"]
cluster.routing.allocation.disk.threshold_enabled: false

56
elastic_stack/elasticsearch/elastic_conf/internal_users.yml Normal file
View File

@ -0,0 +1,56 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

23
elastic_stack/elasticsearch/single-node/elasticsearch-api-svc.yaml
View File

@ -1,23 +0,0 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Elasticsearch service: API
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
namespace: wazuh
labels:
app: wazuh-elasticsearch
spec:
selector:
app: wazuh-elasticsearch
ports:
- name: es-rest
port: 9200
targetPort: 9200

95
elastic_stack/elasticsearch/single-node/elasticsearch-sts.yaml
View File

@ -1,95 +0,0 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Elasticsearch StatefulSet: Single node.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-elasticsearch
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-elasticsearch
serviceName: wazuh-elasticsearch
template:
metadata:
labels:
app: wazuh-elasticsearch
name: wazuh-elasticsearch
spec:
# Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it!
initContainers:
- name: volume-mount-hack
image: busybox
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 100m
memory: 256Mi
command:
- sh
- '-c'
- 'chown -R 1000:1000 /usr/share/elasticsearch/data'
volumeMounts:
- name: wazuh-elasticsearch
mountPath: /usr/share/elasticsearch/data
- name: increase-the-vm-max-map-count
image: busybox
command:
- sysctl
- -w
- vm.max_map_count=262144
securityContext:
privileged: true
containers:
- name: wazuh-elasticsearch
image: 'wazuh/wazuh-elasticsearch:3.13.2_7.9.1'
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 1
memory: 2Gi
env:
- name: ES_JAVA_OPTS
value: '-Xms1024m -Xmx1024m'
- name: bootstrap.memory_lock
value: 'false'
- name: cluster.name
value: wazuh
- name: network.host
value: 0.0.0.0
- name: node.name
value: node-1
securityContext:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- name: wazuh-elasticsearch
mountPath: /usr/share/elasticsearch/data
ports:
- containerPort: 9200
name: es-rest
- containerPort: 9300
name: es-nodes
volumeClaimTemplates:
- metadata:
name: wazuh-elasticsearch
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: gp2-encrypted-retained
resources:
requests:
storage: 30Gi

43
elastic_stack/kibana/kibana-deploy.yaml
View File

@ -23,21 +23,54 @@ spec:
app: wazuh-kibana
name: wazuh-kibana
spec:
volumes:
- name: kibana-certs
secret:
secretName: kibana-certs
containers:
- name: wazuh-kibana
image: 'wazuh/wazuh-kibana:3.13.2_7.9.1'
image: 'wazuh/wazuh-kibana-odfe:4.0.0_1.10.1'
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 400m
memory: 2048Mi
memory: 2Gi
volumeMounts:
- name: kibana-certs
mountPath: /usr/share/kibana/config/cert.pem
readOnly: true
subPath: cert.pem
- name: kibana-certs
mountPath: /usr/share/kibana/config/key.pem
readOnly: true
subPath: key.pem
ports:
- containerPort: 5601
name: kibana
env:
- name: ELASTICSEARCH_URL
value: 'http://elasticsearch:9200'
- name: NODE_OPTIONS
value: '--max-old-space-size=2048'
value: 'https://wazuh-elasticsearch-0.wazuh-elasticsearch:9200'
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
name: elastic-cred
key: username
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-cred
key: password
- name: SERVER_SSL_ENABLED
value: "true"
- name: SERVER_SSL_CERTIFICATE
value: /usr/share/kibana/config/cert.pem
- name: SERVER_SSL_KEY
value: /usr/share/kibana/config/key.pem
- name: WAZUH_API_URL
value: https://wazuh-manager-master-0.wazuh-cluster
- name: API_USERNAME
value: wazuh-wui
- name: API_PASSWORD
value: wazuh-wui

9
elastic_stack/kibana/kibana-svc.yaml
View File

@ -14,10 +14,17 @@ metadata:
namespace: wazuh
labels:
app: wazuh-kibana
# dns: route53
annotations:
# domainName: 'changeme'
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'changeme'
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443'
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
spec:
type: LoadBalancer
selector:
app: wazuh-kibana
ports:
- name: kibana
port: 5601
port: 443
targetPort: 5601

45
elastic_stack/kibana/nginx-deploy.yaml
View File

@ -1,45 +0,0 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Nginx Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: wazuh-nginx
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-nginx
template:
metadata:
labels:
app: wazuh-nginx
name: wazuh-nginx
spec:
containers:
- name: wazuh-nginx
image: 'wazuh/wazuh-nginx:3.13.2_7.9.1'
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
env:
- name: NGINX_PORT
value: '443'
- name: NGINX_NAME
value: 'foo'
- name: NGINX_PWD
value: 'bar'
ports:
- containerPort: 80
- containerPort: 443

30
elastic_stack/kibana/nginx-svc.yaml
View File

@ -1,30 +0,0 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Nginx service
apiVersion: v1
kind: Service
metadata:
name: wazuh-nginx
namespace: wazuh
labels:
app: wazuh-nginx
# dns: route53
annotations:
# domainName: 'changeme'
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'changeme'
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443'
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
spec:
type: LoadBalancer
selector:
app: wazuh-nginx
ports:
- name: web-https
port: 443
targetPort: 443

99
instructions.md
View File

@ -29,7 +29,7 @@ This pod contains the master node of the Wazuh cluster. The master node centrali
The management is performed only in this node, so the agent registration service (authd) and the API are placed here.
Details:
- Image: Docker Hub 'wazuh/wazuh:3.13.2_7.9.1'
- Image: Docker Hub 'wazuh/wazuh-odfe'
- Controller: StatefulSet
#### Wazuh worker 0 / 1
@ -37,7 +37,7 @@ Details:
These pods contain a worker node of the Wazuh cluster. They will receive the agent events.
Details:
- Image: Docker Hub 'wazuh/wazuh:3.13.2_7.9.1'
- Image: Docker Hub 'wazuh/wazuh-odfe'
- Controller: StatefulSet
@ -46,7 +46,7 @@ Details:
Elasticsearch pod. No Elasticsearch cluster is supported yet.
Details:
- Image: wazuh/wazuh-elasticsearch:3.13.2_7.9.1
- Image: amazon/opendistro-for-elasticsearch
- Controller: StatefulSet
#### Kibana
@ -54,18 +54,9 @@ Details:
Kibana pod. It lets you visualize your Elasticsearch data, along with other features as the Wazuh app.
Details:
- image: Docker Hub 'wazuh/kibana:3.13.2_7.9.1'
- image: Docker Hub 'wazuh/wazuh-kibana-odfe'
- Controller: Deployment
#### Nginx
The nginx pod acts as a reverse proxy for a safer access to Kibana.
Details:
- image: Docker Hub 'wazuh/nginx:3.13.2_7.9.1'
- Controller: Deployment
### Services
#### Elastic stack
@ -74,10 +65,8 @@ Details:
- Communication for Elasticsearch nodes.
- elasticsearch:
- Elasticsearch API. Used by Kibana to write/read alerts.
- wazuh-nginx:
- Nginx proxy to access Kibana: https://wazuh.your-domain.com:443
- kibana:
- Kibana service.
- Kibana service. https://wazuh.your-domain.com:443
#### Wazuh
@ -119,58 +108,14 @@ $ git clone https://github.com/wazuh/wazuh-kubernetes.git
$ cd wazuh-kubernetes
```
### Step 3.1: Wazuh namespace and StorageClass
### Step 3.1: Apply all manifests using kustomize
The Wazuh namespace is used to handle all the Kubernetes elements (services, deployments, pods) necessary for Wazuh. In addition, you must create a StorageClass to use AWS EBS storage in our StateFulSet applications.
By using the kustomization.yml we can now deploy the whole cluster in a single command.
```BASH
$ kubectl apply -f base/wazuh-ns.yaml
$ kubectl apply -f base/aws-gp2-storage-class.yaml
$ kubectl apply -k .
```
### Step 3.2: Deploy Elasticsearch
Elasticsearch deployment.
```BASH
$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-svc.yaml
$ kubectl apply -f elastic_stack/elasticsearch/<architecture>/elasticsearch-api-svc.yaml
$ kubectl apply -f elastic_stack/elasticsearch/<architecture>/elasticsearch-sts.yaml
```
Where `<architecture>` is either `single-node` or `cluster`
### Step 3.3: Deploy Kibana and Nginx
Kibana and Nginx deployment.
In case you need to provide a domain name, update the `domainName` annotation value in the [nginx-svc.yaml](elastic_stack/kibana/nginx-svc.yaml) file before deploying that service. You should also set a valid AWS ACM certificate ARN in the [nginx-svc.yaml](elastic_stack/kibana/nginx-svc.yaml) for the `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` annotation. That certificate should match with the `domainName`.
```BASH
$ kubectl apply -f elastic_stack/kibana/kibana-svc.yaml
$ kubectl apply -f elastic_stack/kibana/nginx-svc.yaml
$ kubectl apply -f elastic_stack/kibana/kibana-deploy.yaml
$ kubectl apply -f elastic_stack/kibana/nginx-deploy.yaml
```
### Step 3.5: Deploy Wazuh
Wazuh cluster deployment.
In case you need to provide a domain name, update the `domainName` annotation value in both the [wazuh-master-svc.yaml](wazuh_managers/wazuh-master-svc.yaml) and the [wazuh-workers-svc.yaml](wazuh_managers/wazuh-workers-svc.yaml) files before deploying those services. You should also set a valid AWS ACM certificate ARN in the [wazuh-master-svc.yaml](wazuh_managers/wazuh-master-svc.yaml) for the `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` annotation. That certificate should match with the `domainName`.
```BASH
$ kubectl apply -f wazuh_managers/wazuh-master-svc.yaml
$ kubectl apply -f wazuh_managers/wazuh-cluster-svc.yaml
$ kubectl apply -f wazuh_managers/wazuh-workers-svc.yaml
$ kubectl apply -f wazuh_managers/wazuh-master-conf.yaml
$ kubectl apply -f wazuh_managers/wazuh-worker-conf.yaml
$ kubectl apply -f wazuh_managers/wazuh-master-sts.yaml
$ kubectl apply -f wazuh_managers/wazuh-worker-sts.yaml
```
### Verifying the deployment
@ -191,7 +136,6 @@ kibana ClusterIP xxx.yy.zzz.76 <none> 5601/TC
wazuh LoadBalancer xxx.yy.zzz.209 internal-a7a8... 1515:32623/TCP,55000:30283/TCP 9m
wazuh-cluster ClusterIP None <none> 1516/TCP 9m
wazuh-elasticsearch ClusterIP None <none> 9300/TCP 12m
wazuh-nginx LoadBalancer xxx.yy.zzz.223 internal-a3b1... 80:31831/TCP,443:30974/TCP 11m
wazuh-workers LoadBalancer xxx.yy.zzz.26 internal-a7f9... 1514:31593/TCP 9m
```
@ -201,31 +145,30 @@ wazuh-workers LoadBalancer xxx.yy.zzz.26 internal-a7f9... 1514:31
$ kubectl get deployments -n wazuh
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
wazuh-kibana 1 1 1 1 11m
wazuh-nginx 1 1 1 1 11m
```
#### Statefulsets
```BASH
$ kubectl get statefulsets -n wazuh
NAME DESIRED CURRENT AGE
wazuh-elasticsearch 1 1 13m
wazuh-manager-master 1 1 9m
wazuh-manager-worker 1 1 9m
NAME READY AGE
wazuh-elasticsearch 3/3 15m
wazuh-manager-master 1/1 15m
wazuh-manager-worker 2/2 15m
```
#### Pods
```BASH
$ kubectl get pods -n wazuh
NAME READY STATUS RESTARTS AGE
wazuh-elasticsearch-0 1/1 Running 0 15m
wazuh-kibana-f4d9c7944-httsd 1/1 Running 0 14m
wazuh-manager-master-0 1/1 Running 0 12m
wazuh-manager-worker-0 1/1 Running 0 11m
wazuh-manager-worker-1 1/1 Running 0 11m
wazuh-nginx-748fb8494f-xwwhw 1/1 Running 0 14m
NAME READY STATUS RESTARTS AGE
wazuh-elasticsearch-0 1/1 Running 0 15m
wazuh-elasticsearch-1 1/1 Running 0 15m
wazuh-elasticsearch-2 1/1 Running 0 14m
wazuh-kibana-7c9657f5c5-z95pt 1/1 Running 0 6m18s
wazuh-manager-master-0 1/1 Running 0 6m10s
wazuh-manager-worker-0 1/1 Running 0 8m18s
wazuh-manager-worker-1 1/1 Running 0 8m38s
```
#### Accessing Kibana
@ -237,5 +180,5 @@ Also, you can access using the External-IP (from the VPC): https://internal-xxx-
```BASH
$ kubectl get services -o wide -n wazuh
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
wazuh-nginx LoadBalancer xxx.xx.xxx.xxx internal-xxx-yyy.us-east-1.elb.amazonaws.com 80:31831/TCP,443:30974/TCP 15m app=wazuh-nginx
kibana LoadBalancer xxx.xx.xxx.xxx internal-xxx-yyy.us-east-1.elb.amazonaws.com 80:31831/TCP,443:30974/TCP 15m app=wazuh-nginx
```

61
kustomization.yml Normal file
View File

@ -0,0 +1,61 @@
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Adds wazuh namespace to all resources.
namespace: wazuh
secretGenerator:
- name: odfe-ssl-certs
files:
- certs/odfe_cluster/root-ca.pem
- certs/odfe_cluster/node.pem
- certs/odfe_cluster/node-key.pem
- certs/odfe_cluster/kibana.pem
- certs/odfe_cluster/kibana-key.pem
- certs/odfe_cluster/admin.pem
- certs/odfe_cluster/admin-key.pem
- certs/odfe_cluster/filebeat.pem
- certs/odfe_cluster/filebeat-key.pem
- name: kibana-certs
files:
- certs/kibana_http/cert.pem
- certs/kibana_http/key.pem
configMapGenerator:
- name: elastic-odfe-conf
files:
- elastic_stack/elasticsearch/elastic_conf/elasticsearch.yml
- elastic_stack/elasticsearch/elastic_conf/internal_users.yml
- name: wazuh-conf
files:
- wazuh_managers/wazuh_conf/master.conf
- wazuh_managers/wazuh_conf/worker.conf
resources:
- base/wazuh-ns.yaml
- base/aws-gp2-storage-class.yaml
- secrets/wazuh-api-cred-secret.yaml
- secrets/wazuh-authd-pass-secret.yaml
- secrets/wazuh-cluster-key-secret.yaml
- secrets/elastic-cred-secret.yaml
- wazuh_managers/wazuh-cluster-svc.yaml
- wazuh_managers/wazuh-master-svc.yaml
- wazuh_managers/wazuh-workers-svc.yaml
- wazuh_managers/wazuh-master-sts.yaml
- wazuh_managers/wazuh-worker-sts.yaml
- elastic_stack/elasticsearch/elasticsearch-svc.yaml
- elastic_stack/elasticsearch/cluster/elasticsearch-api-svc.yaml
- elastic_stack/elasticsearch/cluster/elasticsearch-sts.yaml
- elastic_stack/kibana/kibana-svc.yaml
- elastic_stack/kibana/kibana-deploy.yaml

16
secrets/elastic-cred-secret.yaml Normal file
View File

@ -0,0 +1,16 @@
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh API credentials secret
apiVersion: v1
kind: Secret
metadata:
name: elastic-cred
data:
username: YWRtaW4= # string "admin" base64 encoded
password: U2VjcmV0UGFzc3dvcmQ= # string "SecretPassword" base64 encoded

4
secrets/wazuh-api-cred-secret.yaml
View File

@ -13,5 +13,5 @@ metadata:
name: wazuh-api-cred
namespace: wazuh
data:
username: Zm9v # string "foo" base64 encoded
password: YmFy # string "bar" base64 encoded
username: d2F6dWgtd3Vp # string "wazuh-wui" base64 encoded
password: TXlTM2NyMzdQNDUwci4qLQ== # string "MyS3cr37P450r.*-" base64 encoded

2
wazuh_managers/wazuh-cluster-svc.yaml
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public

345
wazuh_managers/wazuh-master-conf.yaml
View File

@ -1,345 +0,0 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh master conf
apiVersion: v1
kind: ConfigMap
metadata:
name: wazuh-manager-master-conf
namespace: wazuh
data:
# /var/ossec/etc-template/ossec.conf
ossec.conf: |-
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, master node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<queue_size>131072</queue_size>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd
To enable this service, run:
ossec-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>no</force_insert>
<force_time>0</force_time>
<purge>no</purge>
<use_password>yes</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>wazuh-manager-master</node_name>
<node_type>master</node_type>
<key>to_be_replaced_by_cluster_key</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

98
wazuh_managers/wazuh-master-sts.yaml
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
@ -30,34 +30,80 @@ spec:
volumes:
- name: config
configMap:
name: wazuh-manager-master-conf
name: wazuh-conf
- name: filebeat-certs
secret:
secretName: odfe-ssl-certs
- name: wazuh-authd-pass
secret:
secretName: wazuh-authd-pass
containers:
- name: wazuh-manager
image: 'wazuh/wazuh:3.13.2_7.9.1'
image: 'wazuh/wazuh-odfe:4.0.0_1.10.1'
resources:
requests:
cpu: 2
memory: 1024Mi
cpu: 1
memory: 1Gi
limits:
cpu: 2
memory: 2048Mi
memory: 2Gi
securityContext:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- name: config
mountPath: /wazuh-config-mount/etc/ossec.conf
subPath: ossec.conf
subPath: master.conf
readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/root-ca.pem
readOnly: true
subPath: root-ca.pem
- name: filebeat-certs
mountPath: /etc/ssl/filebeat.pem
subPath: filebeat.pem
readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/filebeat.key
subPath: filebeat-key.pem
readOnly: true
- name: wazuh-manager-master
mountPath: /var/ossec/data
- name: wazuh-authd-pass
mountPath: /wazuh-config-mount/etc/authd.pass
subPath: authd.pass
readOnly: true
securityContext:
capabilities:
add: ["SYS_CHROOT"]
- name: wazuh-manager-master
mountPath: /var/ossec/api/configuration
subPath: wazuh/var/ossec/api/configuration
- name: wazuh-manager-master
mountPath: /var/ossec/etc
subPath: wazuh/var/ossec/etc
- name: wazuh-manager-master
mountPath: /var/ossec/logs
subPath: wazuh/var/ossec/logs
- name: wazuh-manager-master
mountPath: /var/ossec/queue
subPath: wazuh/var/ossec/queue
- name: wazuh-manager-master
mountPath: /var/ossec/var/multigroups
subPath: wazuh/var/ossec/var/multigroups
- name: wazuh-manager-master
mountPath: /var/ossec/integrations
subPath: wazuh/var/ossec/integrations
- name: wazuh-manager-master
mountPath: /var/ossec/active-response/bin
subPath: wazuh/var/ossec/active-response/bin
- name: wazuh-manager-master
mountPath: /var/ossec/agentless
subPath: wazuh/var/ossec/agentless
- name: wazuh-manager-master
mountPath: /var/ossec/wodles
subPath: wazuh/var/ossec/wodles
- name: wazuh-manager-master
mountPath: /etc/filebeat
subPath: filebeat/etc/filebeat
- name: wazuh-manager-master
mountPath: /var/lib/filebeat
subPath: filebeat/var/lib/filebeat
ports:
- containerPort: 1515
name: registration
@ -66,16 +112,36 @@ spec:
- containerPort: 55000
name: api
env:
- name: API_USER
- name: ELASTICSEARCH_URL
value: 'https://wazuh-elasticsearch-0.wazuh-elasticsearch:9200'
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: wazuh-api-cred
name: elastic-cred
key: username
- name: API_PASS
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: wazuh-api-cred
name: elastic-cred
key: password
- name: FILEBEAT_SSL_VERIFICATION_MODE
value: 'none'
- name: SSL_CERTIFICATE_AUTHORITIES
value: /etc/ssl/root-ca.pem
- name: SSL_CERTIFICATE
value: /etc/ssl/filebeat.pem
- name: SSL_KEY
value: /etc/ssl/filebeat.key
# - name: API_USERNAME
# valueFrom:
# secretKeyRef:
# name: wazuh-api-cred
# key: username
# - name: API_PASSWORD
# valueFrom:
# secretKeyRef:
# name: wazuh-api-cred
# key: password
- name: WAZUH_CLUSTER_KEY
valueFrom:
secretKeyRef:

2
wazuh_managers/wazuh-master-svc.yaml
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public

345
wazuh_managers/wazuh-worker-conf.yaml
View File

@ -1,345 +0,0 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh worker conf
apiVersion: v1
kind: ConfigMap
metadata:
name: wazuh-manager-worker-conf
namespace: wazuh
data:
# /var/ossec/etc-template/ossec.conf
ossec.conf: |-
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, worker node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<queue_size>131072</queue_size>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd
To enable this service, run:
ossec-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>no</force_insert>
<force_time>0</force_time>
<purge>no</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>to_be_replaced_by_hostname</node_name>
<node_type>worker</node_type>
<key>to_be_replaced_by_cluster_key</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

90
wazuh_managers/wazuh-worker-sts.yaml
View File

@ -1,11 +1,11 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh worker StatefulSet: 0
# Wazuh workers StatefulSet
apiVersion: apps/v1
kind: StatefulSet
@ -36,43 +36,99 @@ spec:
volumes:
- name: config
configMap:
name: wazuh-manager-worker-conf
name: wazuh-conf
- name: filebeat-certs
secret:
secretName: odfe-ssl-certs
containers:
- name: wazuh-manager
image: "wazuh/wazuh:3.13.2_7.9.1"
image: 'wazuh/wazuh-odfe:4.0.0_1.10.1'
resources:
requests:
cpu: 2
memory: 1024Mi
cpu: 1
memory: 1Gi
limits:
cpu: 2
memory: 2048Mi
memory: 2Gi
securityContext:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- name: config
mountPath: /wazuh-config-mount/etc/ossec.conf
subPath: ossec.conf
subPath: worker.conf
readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/root-ca.pem
readOnly: true
subPath: root-ca.pem
- name: filebeat-certs
mountPath: /etc/ssl/filebeat.pem
subPath: filebeat.pem
readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/filebeat.key
subPath: filebeat-key.pem
readOnly: true
- name: wazuh-manager-worker
mountPath: /var/ossec/data
mountPath: /var/ossec/api/configuration
subPath: wazuh/var/ossec/api/configuration
- name: wazuh-manager-worker
mountPath: /var/ossec/etc
subPath: wazuh/var/ossec/etc
- name: wazuh-manager-worker
mountPath: /var/ossec/logs
subPath: wazuh/var/ossec/logs
- name: wazuh-manager-worker
mountPath: /var/ossec/queue
subPath: wazuh/var/ossec/queue
- name: wazuh-manager-worker
mountPath: /var/ossec/var/multigroups
subPath: wazuh/var/ossec/var/multigroups
- name: wazuh-manager-worker
mountPath: /var/ossec/integrations
subPath: wazuh/var/ossec/integrations
- name: wazuh-manager-worker
mountPath: /var/ossec/active-response/bin
subPath: wazuh/var/ossec/active-response/bin
- name: wazuh-manager-worker
mountPath: /var/ossec/agentless
subPath: wazuh/var/ossec/agentless
- name: wazuh-manager-worker
mountPath: /var/ossec/wodles
subPath: wazuh/var/ossec/wodles
- name: wazuh-manager-worker
mountPath: /etc/filebeat
subPath: filebeat/etc/filebeat
- name: wazuh-manager-worker
mountPath: /var/lib/filebeat
subPath: filebeat/var/lib/filebeat
ports:
- containerPort: 1514
name: agents-events
- containerPort: 1516
name: cluster
securityContext:
capabilities:
add: ["SYS_CHROOT"]
env:
- name: API_USER
- name: ELASTICSEARCH_URL
value: 'https://wazuh-elasticsearch-0.wazuh-elasticsearch:9200'
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: wazuh-api-cred
name: elastic-cred
key: username
- name: API_PASS
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: wazuh-api-cred
name: elastic-cred
key: password
- name: FILEBEAT_SSL_VERIFICATION_MODE
value: 'none'
- name: SSL_CERTIFICATE_AUTHORITIES
value: /etc/ssl/root-ca.pem
- name: SSL_CERTIFICATE
value: /etc/ssl/filebeat.pem
- name: SSL_KEY
value: /etc/ssl/filebeat.key
- name: WAZUH_CLUSTER_KEY
valueFrom:
secretKeyRef:
@ -88,4 +144,4 @@ spec:
storageClassName: gp2-encrypted-retained
resources:
requests:
storage: 10Gi
storage: 50Gi

2
wazuh_managers/wazuh-workers-svc.yaml
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018 Wazuh Inc.
# Copyright (C) 2020 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public

328
wazuh_managers/wazuh_conf/master.conf Normal file
View File

@ -0,0 +1,328 @@
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, master node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<queue_size>131072</queue_size>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd
To enable this service, run:
ossec-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>no</force_insert>
<force_time>0</force_time>
<purge>no</purge>
<use_password>yes</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>wazuh-manager-master</node_name>
<node_type>master</node_type>
<key>to_be_replaced_by_cluster_key</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

328
wazuh_managers/wazuh_conf/worker.conf Normal file
View File

@ -0,0 +1,328 @@
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, worker node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<queue_size>131072</queue_size>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd
To enable this service, run:
ossec-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>no</force_insert>
<force_time>0</force_time>
<purge>no</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>to_be_replaced_by_hostname</node_name>
<node_type>worker</node_type>
<key>to_be_replaced_by_cluster_key</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>