diff --git a/CHANGELOG.md b/CHANGELOG.md index d82dc2e..779b437 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ All notable changes to this project will be documented in this file. +## [4.0.0] + +### Added + +- Update to Wazuh version 4.0.0_1.10.1 +- Support Opendistro for Elasticsearch v1.10.1 +- Use a single wazuh-manager-worker StatefulSet ([@rjmoseley](https://github.com/rjmoseley) [#106](https://github.com/wazuh/wazuh-kubernetes/pull/106)) +- Using Kubernetes secrets to store credentials ([@1stOfHisGame](https://github.com/1stOfHisGame) [#108](https://github.com/wazuh/wazuh-kubernetes/pull/108)) + ## [v3.13.2] ### Added diff --git a/base/aws-gp2-storage-class.yaml b/base/aws-gp2-storage-class.yaml index 7464124..4004d12 100644 --- a/base/aws-gp2-storage-class.yaml +++ b/base/aws-gp2-storage-class.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public diff --git a/base/wazuh-ns.yaml b/base/wazuh-ns.yaml index a67278a..2a12f51 100644 --- a/base/wazuh-ns.yaml +++ b/base/wazuh-ns.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public diff --git a/certs/kibana_http/.empty b/certs/kibana_http/.empty new file mode 100644 index 0000000..8d1c8b6 --- /dev/null +++ b/certs/kibana_http/.empty @@ -0,0 +1 @@ + diff --git a/certs/odfe_cluster/.empty b/certs/odfe_cluster/.empty new file mode 100644 index 0000000..8d1c8b6 --- /dev/null +++ b/certs/odfe_cluster/.empty @@ -0,0 +1 @@ + diff --git a/cleanup.md b/cleanup.md index 28f3923..ee6ce90 100644 --- a/cleanup.md +++ b/cleanup.md @@ -1,224 +1,19 @@ -# Clean up +# Clean up -Steps to perform a clean up of our deployments, services and volumes used in our environment. +Steps to perform a clean up of our deployments, services and volumes used in our environment. ## Wazuh managers -The deployment of the Wazuh cluster of managers involves the use of various statefulSet elements as well as configuration maps and services. - -### 1. The first step is to remove the pods corresponding to the managers. - -List the pods created. - -``` -ubuntu@k8s-control-server:~$ kubectl get pods --namespace wazuh -NAME READY STATUS RESTARTS AGE -wazuh-elasticsearch-0 1/1 Running 0 6d -wazuh-kibana-78cb4bbb7-xf4s8 1/1 Running 0 6d -wazuh-manager-master-0 1/1 Running 0 6d -wazuh-manager-worker-0 1/1 Running 0 6d -wazuh-manager-worker-1 1/1 Running 0 6d -wazuh-nginx-57c8c65486-7crh2 1/1 Running 0 6d -``` - -Proceed to remove the pods from Wazuh managers. - -``` -ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-manager-master-0 --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-manager-worker-0 --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-manager-worker-1 --namespace wazuh -``` +The deployment of the Wazuh cluster of managers involves the use of various statefulSet elements as well as configuration maps and services. -### 2. Next remove the services related to the Wazuh cluster. +To delete your Wazuh cluster just use: `kubectl delete -k .` from this repository directory. -List the services created. -``` -ubuntu@k8s-control-server:~$ kubectl get services --namespace wazuh -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -elasticsearch ClusterIP 172.20.247.17 9200/TCP 6d -kibana ClusterIP 172.20.121.19 5601/TCP 6d -wazuh LoadBalancer 172.20.240.162 internal-ae32... 1515:30732/TCP,55000:30839/TCP 6d -wazuh-cluster ClusterIP None 1516/TCP 6d -wazuh-elasticsearch ClusterIP None 9300/TCP 6d -wazuh-nginx LoadBalancer 172.20.166.239 internal-ac0c... 80:30409/TCP,443:32575/TCP 6d -wazuh-workers LoadBalancer 172.20.17.252 internal-aec3... 1514:32047/TCP 6d -``` +### Delete the persistent volumes manually. -Delete the corresponding services. +Since we use `reclaimPolicy: Retain` in the storage class definition you must delete volumes manually if you want to clean these as well. -``` -ubuntu@k8s-control-server:~$ kubectl delete service wazuh-cluster --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete service wazuh-workers --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete service wazuh --namespace wazuh -``` - -### 3. In this step delete the StatefulSet. - -``` -ubuntu@k8s-control-server:~$ kubectl get StatefulSet --namespace wazuh -NAME DESIRED CURRENT AGE -wazuh-elasticsearch 1 1 6d -wazuh-manager-master 1 1 6d -wazuh-manager-worker 1 1 6d -``` - -Remove the three StatefulSets from the Wazuh cluster managers. - -``` -ubuntu@k8s-control-server:~$ kubectl delete StatefulSet wazuh-manager-master --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete StatefulSet wazuh-manager-worker --namespace wazuh -``` - -### 4. Take care of deleting the configuration maps. - -``` -ubuntu@k8s-control-server:~$ kubectl get ConfigMap --namespace wazuh -NAME DATA AGE -wazuh-manager-master-conf 1 6d -wazuh-manager-worker-conf 1 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete ConfigMap wazuh-manager-master-conf --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete ConfigMap wazuh-manager-worker-conf --namespace wazuh -``` - -### 5. Now eliminate the persistent volume claims. - -``` -ubuntu@k8s-control-server:~$ kubectl get persistentvolumeclaim --namespace wazuh -NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE -wazuh-elasticsearch-wazuh-elasticsearch-0 Bound pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac 30Gi RWO gp2-encrypted-retained 6d -wazuh-manager-master-wazuh-manager-master-0 Bound pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO gp2-encrypted-retained 6d -wazuh-manager-worker-wazuh-manager-worker-0 Bound pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO gp2-encrypted-retained 6d -wazuh-manager-worker-wazuh-manager-worker-1 Bound pvc-024466da-f7c5-11e8-b9b8-022ada63b4ac 10Gi RWO gp2-encrypted-retained 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete persistentvolumeclaim wazuh-manager-master-wazuh-manager-master-0 --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete persistentvolumeclaim wazuh-manager-master-wazuh-manager-worker-0 --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete persistentvolumeclaim wazuh-manager-master-wazuh-manager-worker-1 --namespace wazuh -``` - -### 6. Finally eliminate the persistent volumes. - -``` -ubuntu@k8s-control-server:~$ kubectl get persistentvolume -NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE -pvc-024466da-f7c5-11e8-b9b8-022ada63b4ac 10Gi RWO Retain Bound wazuh/wazuh-manager-worker-wazuh-manager-worker-1 gp2-encrypted-retained 6d -pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac 30Gi RWO Retain Bound wazuh/wazuh-elasticsearch-wazuh-elasticsearch-0 gp2-encrypted-retained 6d -pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO Retain Bound wazuh/wazuh-manager-master-wazuh-manager-master-0 gp2-encrypted-retained 6d -pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO Retain Bound wazuh/wazuh-manager-worker-wazuh-manager-worker-0 gp2-encrypted-retained 6d -``` - -Master. - -``` -ubuntu@k8s-control-server:~$ kubectl delete persistentvolume pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac -``` - -Worker 0. - -``` -ubuntu@k8s-control-server:~$ kubectl delete persistentvolume pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac -``` - -Worker 1. - -``` -ubuntu@k8s-control-server:~$ kubectl delete persistentvolume pvc-024466da-f7c5-11e8-b9b8-022ada63b4ac -``` - -#### Do not forget to delete the volumes manually in AWS. - -## Elasticsearch - -The process for cleaning the Elasticsearch installation environment is similar to that of the Wazuh cluster. In order to do this remove the Elasticsearch deployment as well as its associated services and volumes. - -### 1. The first step is to remove the pods corresponding to Elasticsearch. - -``` -ubuntu@k8s-control-server:~$ kubectl get pods --namespace wazuh -NAME READY STATUS RESTARTS AGE -wazuh-elasticsearch-0 1/1 Running 0 6d -wazuh-kibana-78cb4bbb7-xf4s8 1/1 Running 0 6d -wazuh-nginx-57c8c65486-7crh2 1/1 Running 0 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-elasticsearch-0 --namespace wazuh -``` - -### 2. Next remove the services related to Elasticsearch. - -``` -ubuntu@k8s-control-server:~$ kubectl get services --namespace wazuh -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -elasticsearch ClusterIP 172.20.247.17 9200/TCP 6d -kibana ClusterIP 172.20.121.19 5601/TCP 6d -wazuh-elasticsearch ClusterIP None 9300/TCP 6d -wazuh-nginx LoadBalancer 172.20.166.239 internal-ac0c... 80:30409/TCP,443:32575/TCP 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete service elasticsearch --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete service wazuh-elasticsearch --namespace wazuh -``` - -### 3. In this step delete the StatefulSet. - -``` -ubuntu@k8s-control-server:~$ kubectl get StatefulSet --namespace wazuh -NAME DESIRED CURRENT AGE -wazuh-elasticsearch 1 1 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete StatefulSet wazuh-elasticsearch --namespace wazuh -``` - -### 4. Now eliminate the persistent volume claims. - -``` -ubuntu@k8s-control-server:~$ kubectl get persistentvolumeclaim --namespace wazuh -NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE -wazuh-elasticsearch-wazuh-elasticsearch-0 Bound pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac 30Gi RWO gp2-encrypted-retained 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete persistentvolumeclaim wazuh-elasticsearch-wazuh-elasticsearch-0 --namespace wazuh -``` - -### 5. Finally delete the persistent volumes. ``` ubuntu@k8s-control-server:~$ kubectl get persistentvolume @@ -229,68 +24,8 @@ pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO Retain pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac 10Gi RWO Retain Released wazuh/wazuh-manager-worker-wazuh-manager-worker-0 gp2-encrypted-retained 6d ``` -Master. - ``` ubuntu@k8s-control-server:~$ kubectl delete persistentvolume pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac ``` -#### Do not forget to delete the volumes manually in AWS. - -## Kibana and Nginx - -To clean the Kibana and Nginx installation remove their deployments and services. - -### 1. The first step is to remove the pods corresponding to Kibana and Nginx. - -``` -ubuntu@k8s-control-server:~$ kubectl get pods --namespace wazuh -NAME READY STATUS RESTARTS AGE -wazuh-kibana-78cb4bbb7-xf4s8 1/1 Running 0 6d -wazuh-nginx-57c8c65486-7crh2 1/1 Running 0 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-kibana-78cb4bbb7-xf4s8 --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete pod wazuh-nginx-57c8c65486-7crh2 --namespace wazuh -``` - -### 2. Next remove the services related to Kibana and Nginx. - -``` -ubuntu@k8s-control-server:~$ kubectl get services --namespace wazuh -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -kibana ClusterIP 172.20.121.19 5601/TCP 6d -wazuh-nginx LoadBalancer 172.20.166.239 internal-ac0c... 80:30409/TCP,443:32575/TCP 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete service kibana --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete service wazuh-nginx --namespace wazuh -``` - -### 3. Finally delete the deployments. - -``` -ubuntu@k8s-control-server:~$ kubectl get deploy --namespace wazuh -NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE -wazuh-kibana 1 1 1 1 6d -wazuh-nginx 1 1 1 1 6d -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete deploy wazuh-kibana --namespace wazuh -``` - -``` -ubuntu@k8s-control-server:~$ kubectl delete deploy wazuh-nginx --namespace wazuh -``` - - Once these steps are completed, our Kubernetes environment will be clean of deployments relating to the Wazuh cluster and related Elastic Stack components. \ No newline at end of file diff --git a/elastic_stack/elasticsearch/cluster/elasticsearch-api-svc.yaml b/elastic_stack/elasticsearch/cluster/elasticsearch-api-svc.yaml index 317e385..0efac44 100644 --- a/elastic_stack/elasticsearch/cluster/elasticsearch-api-svc.yaml +++ b/elastic_stack/elasticsearch/cluster/elasticsearch-api-svc.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public diff --git a/elastic_stack/elasticsearch/cluster/elasticsearch-data-sts.yaml b/elastic_stack/elasticsearch/cluster/elasticsearch-data-sts.yaml deleted file mode 100644 index 7267cfa..0000000 --- a/elastic_stack/elasticsearch/cluster/elasticsearch-data-sts.yaml +++ /dev/null @@ -1,105 +0,0 @@ -# Copyright (C) 2018 Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Elasticsearch StatefulSet: 3 data nodes. - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: data-elasticsearch - namespace: wazuh -spec: - replicas: 3 - selector: - matchLabels: - app: wazuh-elasticsearch - serviceName: wazuh-elasticsearch - template: - metadata: - labels: - app: wazuh-elasticsearch - name: wazuh-elasticsearch - spec: - # Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it! - initContainers: - - name: volume-mount-hack - image: busybox - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 100m - memory: 256Mi - command: - - sh - - '-c' - - 'chown -R 1000:1000 /usr/share/elasticsearch/data' - volumeMounts: - - name: wazuh-elasticsearch - mountPath: /usr/share/elasticsearch/data - - name: increase-the-vm-max-map-count - image: busybox - command: - - sysctl - - -w - - vm.max_map_count=262144 - securityContext: - privileged: true - containers: - - name: wazuh-elasticsearch - image: 'wazuh/wazuh-elasticsearch:3.13.2_7.9.1' - resources: - requests: - cpu: 500m - memory: 1Gi - limits: - cpu: 1 - memory: 2Gi - env: - - name: ES_JAVA_OPTS - value: '-Xms1024m -Xmx1024m' - - name: node.master - value: "false" - - name: node.data - value: "true" - - name: node.ingest - value: "false" - - name: bootstrap.memory_lock - value: "false" - - name: cluster.name - value: wazuh - - name: network.host - value: 0.0.0.0 - - name: node.name - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: discovery.zen.ping.unicast.hosts - value: "wazuh-elasticsearch" - volumeMounts: - - name: wazuh-elasticsearch - mountPath: /usr/share/elasticsearch/data - securityContext: - capabilities: - add: ["SYS_CHROOT"] - ports: - - containerPort: 9200 - name: es-rest - - containerPort: 9300 - name: es-nodes - volumeClaimTemplates: - - metadata: - name: wazuh-elasticsearch - namespace: es-cluster - spec: - accessModes: - - ReadWriteOnce - storageClassName: gp2-encrypted-retained - resources: - requests: - storage: 10Gi diff --git a/elastic_stack/elasticsearch/cluster/elasticsearch-master-sts.yaml b/elastic_stack/elasticsearch/cluster/elasticsearch-sts.yaml similarity index 54% rename from elastic_stack/elasticsearch/cluster/elasticsearch-master-sts.yaml rename to elastic_stack/elasticsearch/cluster/elasticsearch-sts.yaml index 1c190e3..4f8965b 100644 --- a/elastic_stack/elasticsearch/cluster/elasticsearch-master-sts.yaml +++ b/elastic_stack/elasticsearch/cluster/elasticsearch-sts.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public @@ -24,7 +24,14 @@ spec: app: wazuh-elasticsearch name: wazuh-elasticsearch spec: - # Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it! + # Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it + volumes: + - name: odfe-ssl-certs + secret: + secretName: odfe-ssl-certs + - name: elastic-odfe-conf + configMap: + name: elastic-odfe-conf initContainers: - name: volume-mount-hack image: busybox @@ -52,7 +59,7 @@ spec: privileged: true containers: - name: wazuh-elasticsearch - image: 'wazuh/wazuh-elasticsearch:3.13.2_7.9.1' + image: 'amazon/opendistro-for-elasticsearch:1.10.1' resources: requests: cpu: 500m @@ -62,33 +69,55 @@ spec: memory: 2Gi env: - name: ES_JAVA_OPTS - value: '-Xms512m -Xmx512m' - - name: node.master - value: 'true' - - name: node.data - value: 'false' - - name: node.ingest - value: 'false' - - name: bootstrap.memory_lock - value: 'false' - - name: cluster.name + value: '-Xms1g -Xmx1g' + - name: CLUSTER_NAME value: wazuh - - name: network.host - value: 0.0.0.0 - - name: node.name + - name: NETWORK_HOST + value: "0.0.0.0" + - name: NODE_NAME valueFrom: fieldRef: fieldPath: metadata.name - - name: discovery.zen.ping.unicast.hosts - value: "wazuh-elasticsearch" - - name: discovery.zen.minimum_master_nodes - value: "2" - volumeMounts: - - name: wazuh-elasticsearch - mountPath: /usr/share/elasticsearch/data + - name: DISCOVERY_SERVICE + value: wazuh-elasticsearch + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace securityContext: capabilities: add: ["SYS_CHROOT"] + volumeMounts: + - name: wazuh-elasticsearch + mountPath: /usr/share/elasticsearch/data + - name: odfe-ssl-certs + mountPath: /usr/share/elasticsearch/config/node-key.pem + subPath: node-key.pem + readOnly: true + - name: odfe-ssl-certs + mountPath: /usr/share/elasticsearch/config/node.pem + subPath: node.pem + readOnly: true + - name: odfe-ssl-certs + mountPath: /usr/share/elasticsearch/config/root-ca.pem + subPath: root-ca.pem + readOnly: true + - name: odfe-ssl-certs + mountPath: /usr/share/elasticsearch/config/admin.pem + subPath: admin.pem + readOnly: true + - name: odfe-ssl-certs + mountPath: /usr/share/elasticsearch/config/admin-key.pem + subPath: admin-key.pem + readOnly: true + - name: elastic-odfe-conf + mountPath: /usr/share/elasticsearch/config/elasticsearch.yml + subPath: elasticsearch.yml + readOnly: true + - name: elastic-odfe-conf + mountPath: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + subPath: internal_users.yml + readOnly: true ports: - containerPort: 9200 name: es-rest diff --git a/elastic_stack/elasticsearch/elastic_conf/elasticsearch.yml b/elastic_stack/elasticsearch/elastic_conf/elasticsearch.yml new file mode 100644 index 0000000..d69929f --- /dev/null +++ b/elastic_stack/elasticsearch/elastic_conf/elasticsearch.yml @@ -0,0 +1,28 @@ +cluster.name: ${CLUSTER_NAME} +node.name: ${NODE_NAME} +network.host: ${NETWORK_HOST} +discovery.seed_hosts: wazuh-elasticsearch-0.wazuh-elasticsearch +cluster.initial_master_nodes: + - wazuh-elasticsearch-0 + +opendistro_security.ssl.transport.enabled: true +opendistro_security.ssl.transport.pemcert_filepath: node.pem +opendistro_security.ssl.transport.pemkey_filepath: node-key.pem +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: node.pem +opendistro_security.ssl.http.pemkey_filepath: node-key.pem +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.audit.config.index: "'security-auditlog-'YYYY.MM" +opendistro_security.allow_default_init_securityindex: true +opendistro_security.authcz.admin_dn: + - CN=admin,O=Company,L=California,C=US +opendistro_security.nodes_dn: + - CN=*.elasticsearch,O=Company,L=California,C=US +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "service_full_access"] + +cluster.routing.allocation.disk.threshold_enabled: false diff --git a/elastic_stack/elasticsearch/elastic_conf/internal_users.yml b/elastic_stack/elasticsearch/elastic_conf/internal_users.yml new file mode 100644 index 0000000..d9f05b3 --- /dev/null +++ b/elastic_stack/elasticsearch/elastic_conf/internal_users.yml @@ -0,0 +1,56 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" diff --git a/elastic_stack/elasticsearch/single-node/elasticsearch-api-svc.yaml b/elastic_stack/elasticsearch/single-node/elasticsearch-api-svc.yaml deleted file mode 100644 index 5c0962a..0000000 --- a/elastic_stack/elasticsearch/single-node/elasticsearch-api-svc.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright (C) 2018 Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Elasticsearch service: API - -apiVersion: v1 -kind: Service -metadata: - name: elasticsearch - namespace: wazuh - labels: - app: wazuh-elasticsearch -spec: - selector: - app: wazuh-elasticsearch - ports: - - name: es-rest - port: 9200 - targetPort: 9200 diff --git a/elastic_stack/elasticsearch/single-node/elasticsearch-sts.yaml b/elastic_stack/elasticsearch/single-node/elasticsearch-sts.yaml deleted file mode 100644 index af0bbc6..0000000 --- a/elastic_stack/elasticsearch/single-node/elasticsearch-sts.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright (C) 2018 Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Elasticsearch StatefulSet: Single node. - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: wazuh-elasticsearch - namespace: wazuh -spec: - replicas: 1 - selector: - matchLabels: - app: wazuh-elasticsearch - serviceName: wazuh-elasticsearch - template: - metadata: - labels: - app: wazuh-elasticsearch - name: wazuh-elasticsearch - spec: - # Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it! - initContainers: - - name: volume-mount-hack - image: busybox - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 100m - memory: 256Mi - command: - - sh - - '-c' - - 'chown -R 1000:1000 /usr/share/elasticsearch/data' - volumeMounts: - - name: wazuh-elasticsearch - mountPath: /usr/share/elasticsearch/data - - name: increase-the-vm-max-map-count - image: busybox - command: - - sysctl - - -w - - vm.max_map_count=262144 - securityContext: - privileged: true - containers: - - name: wazuh-elasticsearch - image: 'wazuh/wazuh-elasticsearch:3.13.2_7.9.1' - resources: - requests: - cpu: 500m - memory: 1Gi - limits: - cpu: 1 - memory: 2Gi - env: - - name: ES_JAVA_OPTS - value: '-Xms1024m -Xmx1024m' - - name: bootstrap.memory_lock - value: 'false' - - name: cluster.name - value: wazuh - - name: network.host - value: 0.0.0.0 - - name: node.name - value: node-1 - securityContext: - capabilities: - add: ["SYS_CHROOT"] - volumeMounts: - - name: wazuh-elasticsearch - mountPath: /usr/share/elasticsearch/data - ports: - - containerPort: 9200 - name: es-rest - - containerPort: 9300 - name: es-nodes - volumeClaimTemplates: - - metadata: - name: wazuh-elasticsearch - namespace: wazuh - spec: - accessModes: - - ReadWriteOnce - storageClassName: gp2-encrypted-retained - resources: - requests: - storage: 30Gi diff --git a/elastic_stack/kibana/kibana-deploy.yaml b/elastic_stack/kibana/kibana-deploy.yaml index cae3754..fbba1a3 100644 --- a/elastic_stack/kibana/kibana-deploy.yaml +++ b/elastic_stack/kibana/kibana-deploy.yaml @@ -23,21 +23,54 @@ spec: app: wazuh-kibana name: wazuh-kibana spec: + volumes: + - name: kibana-certs + secret: + secretName: kibana-certs containers: - name: wazuh-kibana - image: 'wazuh/wazuh-kibana:3.13.2_7.9.1' + image: 'wazuh/wazuh-kibana-odfe:4.0.0_1.10.1' resources: requests: cpu: 200m memory: 512Mi limits: cpu: 400m - memory: 2048Mi + memory: 2Gi + volumeMounts: + - name: kibana-certs + mountPath: /usr/share/kibana/config/cert.pem + readOnly: true + subPath: cert.pem + - name: kibana-certs + mountPath: /usr/share/kibana/config/key.pem + readOnly: true + subPath: key.pem ports: - containerPort: 5601 name: kibana env: - name: ELASTICSEARCH_URL - value: 'http://elasticsearch:9200' - - name: NODE_OPTIONS - value: '--max-old-space-size=2048' + value: 'https://wazuh-elasticsearch-0.wazuh-elasticsearch:9200' + - name: ELASTICSEARCH_USERNAME + valueFrom: + secretKeyRef: + name: elastic-cred + key: username + - name: ELASTICSEARCH_PASSWORD + valueFrom: + secretKeyRef: + name: elastic-cred + key: password + - name: SERVER_SSL_ENABLED + value: "true" + - name: SERVER_SSL_CERTIFICATE + value: /usr/share/kibana/config/cert.pem + - name: SERVER_SSL_KEY + value: /usr/share/kibana/config/key.pem + - name: WAZUH_API_URL + value: https://wazuh-manager-master-0.wazuh-cluster + - name: API_USERNAME + value: wazuh-wui + - name: API_PASSWORD + value: wazuh-wui diff --git a/elastic_stack/kibana/kibana-svc.yaml b/elastic_stack/kibana/kibana-svc.yaml index 838edac..8c859c3 100644 --- a/elastic_stack/kibana/kibana-svc.yaml +++ b/elastic_stack/kibana/kibana-svc.yaml @@ -14,10 +14,17 @@ metadata: namespace: wazuh labels: app: wazuh-kibana + # dns: route53 + annotations: + # domainName: 'changeme' + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'changeme' + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443' + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https spec: + type: LoadBalancer selector: app: wazuh-kibana ports: - name: kibana - port: 5601 + port: 443 targetPort: 5601 diff --git a/elastic_stack/kibana/nginx-deploy.yaml b/elastic_stack/kibana/nginx-deploy.yaml deleted file mode 100644 index 2b2470b..0000000 --- a/elastic_stack/kibana/nginx-deploy.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright (C) 2018 Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Nginx Deployment - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wazuh-nginx - namespace: wazuh -spec: - replicas: 1 - selector: - matchLabels: - app: wazuh-nginx - template: - metadata: - labels: - app: wazuh-nginx - name: wazuh-nginx - spec: - containers: - - name: wazuh-nginx - image: 'wazuh/wazuh-nginx:3.13.2_7.9.1' - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi - env: - - name: NGINX_PORT - value: '443' - - name: NGINX_NAME - value: 'foo' - - name: NGINX_PWD - value: 'bar' - ports: - - containerPort: 80 - - containerPort: 443 diff --git a/elastic_stack/kibana/nginx-svc.yaml b/elastic_stack/kibana/nginx-svc.yaml deleted file mode 100644 index 06f1a30..0000000 --- a/elastic_stack/kibana/nginx-svc.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (C) 2018 Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Nginx service - -apiVersion: v1 -kind: Service -metadata: - name: wazuh-nginx - namespace: wazuh - labels: - app: wazuh-nginx - # dns: route53 - annotations: - # domainName: 'changeme' - # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'changeme' - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443' - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https -spec: - type: LoadBalancer - selector: - app: wazuh-nginx - ports: - - name: web-https - port: 443 - targetPort: 443 diff --git a/instructions.md b/instructions.md index ec87c65..418a035 100644 --- a/instructions.md +++ b/instructions.md @@ -29,7 +29,7 @@ This pod contains the master node of the Wazuh cluster. The master node centrali The management is performed only in this node, so the agent registration service (authd) and the API are placed here. Details: -- Image: Docker Hub 'wazuh/wazuh:3.13.2_7.9.1' +- Image: Docker Hub 'wazuh/wazuh-odfe' - Controller: StatefulSet #### Wazuh worker 0 / 1 @@ -37,7 +37,7 @@ Details: These pods contain a worker node of the Wazuh cluster. They will receive the agent events. Details: -- Image: Docker Hub 'wazuh/wazuh:3.13.2_7.9.1' +- Image: Docker Hub 'wazuh/wazuh-odfe' - Controller: StatefulSet @@ -46,7 +46,7 @@ Details: Elasticsearch pod. No Elasticsearch cluster is supported yet. Details: -- Image: wazuh/wazuh-elasticsearch:3.13.2_7.9.1 +- Image: amazon/opendistro-for-elasticsearch - Controller: StatefulSet #### Kibana @@ -54,18 +54,9 @@ Details: Kibana pod. It lets you visualize your Elasticsearch data, along with other features as the Wazuh app. Details: -- image: Docker Hub 'wazuh/kibana:3.13.2_7.9.1' +- image: Docker Hub 'wazuh/wazuh-kibana-odfe' - Controller: Deployment -#### Nginx - -The nginx pod acts as a reverse proxy for a safer access to Kibana. - -Details: -- image: Docker Hub 'wazuh/nginx:3.13.2_7.9.1' -- Controller: Deployment - - ### Services #### Elastic stack @@ -74,10 +65,8 @@ Details: - Communication for Elasticsearch nodes. - elasticsearch: - Elasticsearch API. Used by Kibana to write/read alerts. -- wazuh-nginx: - - Nginx proxy to access Kibana: https://wazuh.your-domain.com:443 - kibana: - - Kibana service. + - Kibana service. https://wazuh.your-domain.com:443 #### Wazuh @@ -119,58 +108,14 @@ $ git clone https://github.com/wazuh/wazuh-kubernetes.git $ cd wazuh-kubernetes ``` -### Step 3.1: Wazuh namespace and StorageClass +### Step 3.1: Apply all manifests using kustomize -The Wazuh namespace is used to handle all the Kubernetes elements (services, deployments, pods) necessary for Wazuh. In addition, you must create a StorageClass to use AWS EBS storage in our StateFulSet applications. +By using the kustomization.yml we can now deploy the whole cluster in a single command. ```BASH -$ kubectl apply -f base/wazuh-ns.yaml -$ kubectl apply -f base/aws-gp2-storage-class.yaml +$ kubectl apply -k . ``` -### Step 3.2: Deploy Elasticsearch - -Elasticsearch deployment. - -```BASH -$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-svc.yaml -$ kubectl apply -f elastic_stack/elasticsearch//elasticsearch-api-svc.yaml -$ kubectl apply -f elastic_stack/elasticsearch//elasticsearch-sts.yaml -``` -Where `` is either `single-node` or `cluster` - -### Step 3.3: Deploy Kibana and Nginx - -Kibana and Nginx deployment. - -In case you need to provide a domain name, update the `domainName` annotation value in the [nginx-svc.yaml](elastic_stack/kibana/nginx-svc.yaml) file before deploying that service. You should also set a valid AWS ACM certificate ARN in the [nginx-svc.yaml](elastic_stack/kibana/nginx-svc.yaml) for the `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` annotation. That certificate should match with the `domainName`. - -```BASH -$ kubectl apply -f elastic_stack/kibana/kibana-svc.yaml -$ kubectl apply -f elastic_stack/kibana/nginx-svc.yaml - -$ kubectl apply -f elastic_stack/kibana/kibana-deploy.yaml -$ kubectl apply -f elastic_stack/kibana/nginx-deploy.yaml -``` - -### Step 3.5: Deploy Wazuh - -Wazuh cluster deployment. - -In case you need to provide a domain name, update the `domainName` annotation value in both the [wazuh-master-svc.yaml](wazuh_managers/wazuh-master-svc.yaml) and the [wazuh-workers-svc.yaml](wazuh_managers/wazuh-workers-svc.yaml) files before deploying those services. You should also set a valid AWS ACM certificate ARN in the [wazuh-master-svc.yaml](wazuh_managers/wazuh-master-svc.yaml) for the `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` annotation. That certificate should match with the `domainName`. - - -```BASH -$ kubectl apply -f wazuh_managers/wazuh-master-svc.yaml -$ kubectl apply -f wazuh_managers/wazuh-cluster-svc.yaml -$ kubectl apply -f wazuh_managers/wazuh-workers-svc.yaml - -$ kubectl apply -f wazuh_managers/wazuh-master-conf.yaml -$ kubectl apply -f wazuh_managers/wazuh-worker-conf.yaml - -$ kubectl apply -f wazuh_managers/wazuh-master-sts.yaml -$ kubectl apply -f wazuh_managers/wazuh-worker-sts.yaml -``` ### Verifying the deployment @@ -191,7 +136,6 @@ kibana ClusterIP xxx.yy.zzz.76 5601/TC wazuh LoadBalancer xxx.yy.zzz.209 internal-a7a8... 1515:32623/TCP,55000:30283/TCP 9m wazuh-cluster ClusterIP None 1516/TCP 9m wazuh-elasticsearch ClusterIP None 9300/TCP 12m -wazuh-nginx LoadBalancer xxx.yy.zzz.223 internal-a3b1... 80:31831/TCP,443:30974/TCP 11m wazuh-workers LoadBalancer xxx.yy.zzz.26 internal-a7f9... 1514:31593/TCP 9m ``` @@ -201,31 +145,30 @@ wazuh-workers LoadBalancer xxx.yy.zzz.26 internal-a7f9... 1514:31 $ kubectl get deployments -n wazuh NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE wazuh-kibana 1 1 1 1 11m -wazuh-nginx 1 1 1 1 11m ``` #### Statefulsets ```BASH $ kubectl get statefulsets -n wazuh -NAME DESIRED CURRENT AGE -wazuh-elasticsearch 1 1 13m -wazuh-manager-master 1 1 9m -wazuh-manager-worker 1 1 9m - +NAME READY AGE +wazuh-elasticsearch 3/3 15m +wazuh-manager-master 1/1 15m +wazuh-manager-worker 2/2 15m ``` #### Pods ```BASH $ kubectl get pods -n wazuh -NAME READY STATUS RESTARTS AGE -wazuh-elasticsearch-0 1/1 Running 0 15m -wazuh-kibana-f4d9c7944-httsd 1/1 Running 0 14m -wazuh-manager-master-0 1/1 Running 0 12m -wazuh-manager-worker-0 1/1 Running 0 11m -wazuh-manager-worker-1 1/1 Running 0 11m -wazuh-nginx-748fb8494f-xwwhw 1/1 Running 0 14m +NAME READY STATUS RESTARTS AGE +wazuh-elasticsearch-0 1/1 Running 0 15m +wazuh-elasticsearch-1 1/1 Running 0 15m +wazuh-elasticsearch-2 1/1 Running 0 14m +wazuh-kibana-7c9657f5c5-z95pt 1/1 Running 0 6m18s +wazuh-manager-master-0 1/1 Running 0 6m10s +wazuh-manager-worker-0 1/1 Running 0 8m18s +wazuh-manager-worker-1 1/1 Running 0 8m38s ``` #### Accessing Kibana @@ -237,5 +180,5 @@ Also, you can access using the External-IP (from the VPC): https://internal-xxx- ```BASH $ kubectl get services -o wide -n wazuh NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR -wazuh-nginx LoadBalancer xxx.xx.xxx.xxx internal-xxx-yyy.us-east-1.elb.amazonaws.com 80:31831/TCP,443:30974/TCP 15m app=wazuh-nginx +kibana LoadBalancer xxx.xx.xxx.xxx internal-xxx-yyy.us-east-1.elb.amazonaws.com 80:31831/TCP,443:30974/TCP 15m app=wazuh-nginx ``` diff --git a/kustomization.yml b/kustomization.yml new file mode 100644 index 0000000..2dde9d2 --- /dev/null +++ b/kustomization.yml @@ -0,0 +1,61 @@ +# Copyright (C) 2020 Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# Adds wazuh namespace to all resources. +namespace: wazuh + +secretGenerator: + - name: odfe-ssl-certs + files: + - certs/odfe_cluster/root-ca.pem + - certs/odfe_cluster/node.pem + - certs/odfe_cluster/node-key.pem + - certs/odfe_cluster/kibana.pem + - certs/odfe_cluster/kibana-key.pem + - certs/odfe_cluster/admin.pem + - certs/odfe_cluster/admin-key.pem + - certs/odfe_cluster/filebeat.pem + - certs/odfe_cluster/filebeat-key.pem + - name: kibana-certs + files: + - certs/kibana_http/cert.pem + - certs/kibana_http/key.pem + +configMapGenerator: + - name: elastic-odfe-conf + files: + - elastic_stack/elasticsearch/elastic_conf/elasticsearch.yml + - elastic_stack/elasticsearch/elastic_conf/internal_users.yml + - name: wazuh-conf + files: + - wazuh_managers/wazuh_conf/master.conf + - wazuh_managers/wazuh_conf/worker.conf + +resources: + - base/wazuh-ns.yaml + - base/aws-gp2-storage-class.yaml + + - secrets/wazuh-api-cred-secret.yaml + - secrets/wazuh-authd-pass-secret.yaml + - secrets/wazuh-cluster-key-secret.yaml + - secrets/elastic-cred-secret.yaml + + - wazuh_managers/wazuh-cluster-svc.yaml + - wazuh_managers/wazuh-master-svc.yaml + - wazuh_managers/wazuh-workers-svc.yaml + - wazuh_managers/wazuh-master-sts.yaml + - wazuh_managers/wazuh-worker-sts.yaml + + - elastic_stack/elasticsearch/elasticsearch-svc.yaml + - elastic_stack/elasticsearch/cluster/elasticsearch-api-svc.yaml + - elastic_stack/elasticsearch/cluster/elasticsearch-sts.yaml + + - elastic_stack/kibana/kibana-svc.yaml + - elastic_stack/kibana/kibana-deploy.yaml diff --git a/secrets/elastic-cred-secret.yaml b/secrets/elastic-cred-secret.yaml new file mode 100644 index 0000000..20d6872 --- /dev/null +++ b/secrets/elastic-cred-secret.yaml @@ -0,0 +1,16 @@ +# Copyright (C) 2020 Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. + +# Wazuh API credentials secret + +apiVersion: v1 +kind: Secret +metadata: + name: elastic-cred +data: + username: YWRtaW4= # string "admin" base64 encoded + password: U2VjcmV0UGFzc3dvcmQ= # string "SecretPassword" base64 encoded diff --git a/secrets/wazuh-api-cred-secret.yaml b/secrets/wazuh-api-cred-secret.yaml index fe99c52..0851837 100644 --- a/secrets/wazuh-api-cred-secret.yaml +++ b/secrets/wazuh-api-cred-secret.yaml @@ -13,5 +13,5 @@ metadata: name: wazuh-api-cred namespace: wazuh data: - username: Zm9v # string "foo" base64 encoded - password: YmFy # string "bar" base64 encoded + username: d2F6dWgtd3Vp # string "wazuh-wui" base64 encoded + password: TXlTM2NyMzdQNDUwci4qLQ== # string "MyS3cr37P450r.*-" base64 encoded diff --git a/wazuh_managers/wazuh-cluster-svc.yaml b/wazuh_managers/wazuh-cluster-svc.yaml index aac0fbb..1c297fb 100644 --- a/wazuh_managers/wazuh-cluster-svc.yaml +++ b/wazuh_managers/wazuh-cluster-svc.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public diff --git a/wazuh_managers/wazuh-master-conf.yaml b/wazuh_managers/wazuh-master-conf.yaml deleted file mode 100644 index cf88380..0000000 --- a/wazuh_managers/wazuh-master-conf.yaml +++ /dev/null @@ -1,345 +0,0 @@ -# Copyright (C) 2018 Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Wazuh master conf - -apiVersion: v1 -kind: ConfigMap -metadata: - name: wazuh-manager-master-conf - namespace: wazuh -data: - # /var/ossec/etc-template/ossec.conf - ossec.conf: |- - - - - yes - yes - no - no - no - smtp.example.wazuh.com - ossecm@example.wazuh.com - recipient@example.wazuh.com - 12 - 131072 - - - - 3 - 12 - - - - - plain - - - - secure - 1514 - tcp - 131072 - - - - - no - yes - yes - yes - yes - yes - yes - yes - yes - - - 43200 - - /var/ossec/etc/rootcheck/rootkit_files.txt - /var/ossec/etc/rootcheck/rootkit_trojans.txt - - /var/ossec/etc/rootcheck/system_audit_rcl.txt - /var/ossec/etc/rootcheck/system_audit_ssh.txt - - yes - - - - yes - 1800 - 1d - yes - - - - yes - 1800 - 1d - yes - - wodles/java - wodles/ciscat - - - - - yes - yes - /var/log/osquery/osqueryd.results.log - /etc/osquery/osquery.conf - yes - - - - - no - 1h - yes - yes - yes - yes - yes - yes - yes - - - - yes - 1m - yes - - yes - 1h - - - yes - 1h - - - yes - 1h - - - - - - no - - - 43200 - - yes - - - yes - - - no - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - /sys/kernel/security - /sys/kernel/debug - - - /etc/ssl/private.key - - yes - - - yes - - - yes - - - - - 127.0.0.1 - ^localhost.localdomain$ - 10.66.0.2 - - - - disable-account - disable-account.sh - user - yes - - - - restart-ossec - restart-ossec.sh - - - - - firewall-drop - firewall-drop.sh - srcip - yes - - - - host-deny - host-deny.sh - srcip - yes - - - - route-null - route-null.sh - srcip - yes - - - - win_route-null - route-null.cmd - srcip - yes - - - - win_route-null-2012 - route-null-2012.cmd - srcip - yes - - - - netsh - netsh.cmd - srcip - yes - - - - netsh-win-2016 - netsh-win-2016.cmd - srcip - yes - - - - - - - command - df -P - 360 - - - - full_command - netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - netstat listening ports - 360 - - - - full_command - last -n 20 - 360 - - - - - ruleset/decoders - ruleset/rules - 0215-policy_rules.xml - etc/lists/audit-keys - etc/lists/amazon/aws-sources - etc/lists/amazon/aws-eventnames - - - etc/decoders - etc/rules - - - - - no - 1515 - no - no - 0 - no - yes - yes - HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH - - no - /var/ossec/etc/sslmanager.cert - /var/ossec/etc/sslmanager.key - no - - - - wazuh - wazuh-manager-master - master - to_be_replaced_by_cluster_key - 1516 - 0.0.0.0 - - wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local - - no - no - - - - - - syslog - /var/ossec/logs/active-responses.log - - - - syslog - /var/log/syslog - - - - syslog - /var/log/dpkg.log - - diff --git a/wazuh_managers/wazuh-master-sts.yaml b/wazuh_managers/wazuh-master-sts.yaml index f99b0d3..dc03160 100644 --- a/wazuh_managers/wazuh-master-sts.yaml +++ b/wazuh_managers/wazuh-master-sts.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public @@ -30,34 +30,80 @@ spec: volumes: - name: config configMap: - name: wazuh-manager-master-conf + name: wazuh-conf + - name: filebeat-certs + secret: + secretName: odfe-ssl-certs - name: wazuh-authd-pass secret: secretName: wazuh-authd-pass containers: - name: wazuh-manager - image: 'wazuh/wazuh:3.13.2_7.9.1' + image: 'wazuh/wazuh-odfe:4.0.0_1.10.1' resources: requests: - cpu: 2 - memory: 1024Mi + cpu: 1 + memory: 1Gi limits: cpu: 2 - memory: 2048Mi + memory: 2Gi + securityContext: + capabilities: + add: ["SYS_CHROOT"] volumeMounts: - name: config mountPath: /wazuh-config-mount/etc/ossec.conf - subPath: ossec.conf + subPath: master.conf + readOnly: true + - name: filebeat-certs + mountPath: /etc/ssl/root-ca.pem + readOnly: true + subPath: root-ca.pem + - name: filebeat-certs + mountPath: /etc/ssl/filebeat.pem + subPath: filebeat.pem + readOnly: true + - name: filebeat-certs + mountPath: /etc/ssl/filebeat.key + subPath: filebeat-key.pem readOnly: true - - name: wazuh-manager-master - mountPath: /var/ossec/data - name: wazuh-authd-pass mountPath: /wazuh-config-mount/etc/authd.pass subPath: authd.pass readOnly: true - securityContext: - capabilities: - add: ["SYS_CHROOT"] + - name: wazuh-manager-master + mountPath: /var/ossec/api/configuration + subPath: wazuh/var/ossec/api/configuration + - name: wazuh-manager-master + mountPath: /var/ossec/etc + subPath: wazuh/var/ossec/etc + - name: wazuh-manager-master + mountPath: /var/ossec/logs + subPath: wazuh/var/ossec/logs + - name: wazuh-manager-master + mountPath: /var/ossec/queue + subPath: wazuh/var/ossec/queue + - name: wazuh-manager-master + mountPath: /var/ossec/var/multigroups + subPath: wazuh/var/ossec/var/multigroups + - name: wazuh-manager-master + mountPath: /var/ossec/integrations + subPath: wazuh/var/ossec/integrations + - name: wazuh-manager-master + mountPath: /var/ossec/active-response/bin + subPath: wazuh/var/ossec/active-response/bin + - name: wazuh-manager-master + mountPath: /var/ossec/agentless + subPath: wazuh/var/ossec/agentless + - name: wazuh-manager-master + mountPath: /var/ossec/wodles + subPath: wazuh/var/ossec/wodles + - name: wazuh-manager-master + mountPath: /etc/filebeat + subPath: filebeat/etc/filebeat + - name: wazuh-manager-master + mountPath: /var/lib/filebeat + subPath: filebeat/var/lib/filebeat ports: - containerPort: 1515 name: registration @@ -66,16 +112,36 @@ spec: - containerPort: 55000 name: api env: - - name: API_USER + - name: ELASTICSEARCH_URL + value: 'https://wazuh-elasticsearch-0.wazuh-elasticsearch:9200' + - name: ELASTIC_USERNAME valueFrom: secretKeyRef: - name: wazuh-api-cred + name: elastic-cred key: username - - name: API_PASS + - name: ELASTIC_PASSWORD valueFrom: secretKeyRef: - name: wazuh-api-cred + name: elastic-cred key: password + - name: FILEBEAT_SSL_VERIFICATION_MODE + value: 'none' + - name: SSL_CERTIFICATE_AUTHORITIES + value: /etc/ssl/root-ca.pem + - name: SSL_CERTIFICATE + value: /etc/ssl/filebeat.pem + - name: SSL_KEY + value: /etc/ssl/filebeat.key + # - name: API_USERNAME + # valueFrom: + # secretKeyRef: + # name: wazuh-api-cred + # key: username + # - name: API_PASSWORD + # valueFrom: + # secretKeyRef: + # name: wazuh-api-cred + # key: password - name: WAZUH_CLUSTER_KEY valueFrom: secretKeyRef: diff --git a/wazuh_managers/wazuh-master-svc.yaml b/wazuh_managers/wazuh-master-svc.yaml index 623bc0c..ec4e6d9 100644 --- a/wazuh_managers/wazuh-master-svc.yaml +++ b/wazuh_managers/wazuh-master-svc.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public diff --git a/wazuh_managers/wazuh-worker-conf.yaml b/wazuh_managers/wazuh-worker-conf.yaml deleted file mode 100644 index 0121423..0000000 --- a/wazuh_managers/wazuh-worker-conf.yaml +++ /dev/null @@ -1,345 +0,0 @@ -# Copyright (C) 2018 Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -# Wazuh worker conf - -apiVersion: v1 -kind: ConfigMap -metadata: - name: wazuh-manager-worker-conf - namespace: wazuh -data: - # /var/ossec/etc-template/ossec.conf - ossec.conf: |- - - - - yes - yes - no - no - no - smtp.example.wazuh.com - ossecm@example.wazuh.com - recipient@example.wazuh.com - 12 - 131072 - - - - 3 - 12 - - - - - plain - - - - secure - 1514 - tcp - 131072 - - - - - no - yes - yes - yes - yes - yes - yes - yes - yes - - - 43200 - - /var/ossec/etc/rootcheck/rootkit_files.txt - /var/ossec/etc/rootcheck/rootkit_trojans.txt - - /var/ossec/etc/rootcheck/system_audit_rcl.txt - /var/ossec/etc/rootcheck/system_audit_ssh.txt - - yes - - - - yes - 1800 - 1d - yes - - - - yes - 1800 - 1d - yes - - wodles/java - wodles/ciscat - - - - - yes - yes - /var/log/osquery/osqueryd.results.log - /etc/osquery/osquery.conf - yes - - - - - no - 1h - yes - yes - yes - yes - yes - yes - yes - - - - yes - 1m - yes - - yes - 1h - - - yes - 1h - - - yes - 1h - - - - - - no - - - 43200 - - yes - - - yes - - - no - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - /sys/kernel/security - /sys/kernel/debug - - - /etc/ssl/private.key - - yes - - - yes - - - yes - - - - - 127.0.0.1 - ^localhost.localdomain$ - 10.66.0.2 - - - - disable-account - disable-account.sh - user - yes - - - - restart-ossec - restart-ossec.sh - - - - - firewall-drop - firewall-drop.sh - srcip - yes - - - - host-deny - host-deny.sh - srcip - yes - - - - route-null - route-null.sh - srcip - yes - - - - win_route-null - route-null.cmd - srcip - yes - - - - win_route-null-2012 - route-null-2012.cmd - srcip - yes - - - - netsh - netsh.cmd - srcip - yes - - - - netsh-win-2016 - netsh-win-2016.cmd - srcip - yes - - - - - - - command - df -P - 360 - - - - full_command - netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - netstat listening ports - 360 - - - - full_command - last -n 20 - 360 - - - - - ruleset/decoders - ruleset/rules - 0215-policy_rules.xml - etc/lists/audit-keys - etc/lists/amazon/aws-sources - etc/lists/amazon/aws-eventnames - - - etc/decoders - etc/rules - - - - - no - 1515 - no - no - 0 - no - no - yes - HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH - - no - /var/ossec/etc/sslmanager.cert - /var/ossec/etc/sslmanager.key - no - - - - wazuh - to_be_replaced_by_hostname - worker - to_be_replaced_by_cluster_key - 1516 - 0.0.0.0 - - wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local - - no - no - - - - - - syslog - /var/ossec/logs/active-responses.log - - - - syslog - /var/log/syslog - - - - syslog - /var/log/dpkg.log - - diff --git a/wazuh_managers/wazuh-worker-sts.yaml b/wazuh_managers/wazuh-worker-sts.yaml index 6c10347..d4c7af0 100644 --- a/wazuh_managers/wazuh-worker-sts.yaml +++ b/wazuh_managers/wazuh-worker-sts.yaml @@ -1,11 +1,11 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation. -# Wazuh worker StatefulSet: 0 +# Wazuh workers StatefulSet apiVersion: apps/v1 kind: StatefulSet @@ -36,43 +36,99 @@ spec: volumes: - name: config configMap: - name: wazuh-manager-worker-conf + name: wazuh-conf + - name: filebeat-certs + secret: + secretName: odfe-ssl-certs containers: - name: wazuh-manager - image: "wazuh/wazuh:3.13.2_7.9.1" + image: 'wazuh/wazuh-odfe:4.0.0_1.10.1' resources: requests: - cpu: 2 - memory: 1024Mi + cpu: 1 + memory: 1Gi limits: cpu: 2 - memory: 2048Mi + memory: 2Gi + securityContext: + capabilities: + add: ["SYS_CHROOT"] volumeMounts: - name: config mountPath: /wazuh-config-mount/etc/ossec.conf - subPath: ossec.conf + subPath: worker.conf + readOnly: true + - name: filebeat-certs + mountPath: /etc/ssl/root-ca.pem + readOnly: true + subPath: root-ca.pem + - name: filebeat-certs + mountPath: /etc/ssl/filebeat.pem + subPath: filebeat.pem + readOnly: true + - name: filebeat-certs + mountPath: /etc/ssl/filebeat.key + subPath: filebeat-key.pem readOnly: true - name: wazuh-manager-worker - mountPath: /var/ossec/data + mountPath: /var/ossec/api/configuration + subPath: wazuh/var/ossec/api/configuration + - name: wazuh-manager-worker + mountPath: /var/ossec/etc + subPath: wazuh/var/ossec/etc + - name: wazuh-manager-worker + mountPath: /var/ossec/logs + subPath: wazuh/var/ossec/logs + - name: wazuh-manager-worker + mountPath: /var/ossec/queue + subPath: wazuh/var/ossec/queue + - name: wazuh-manager-worker + mountPath: /var/ossec/var/multigroups + subPath: wazuh/var/ossec/var/multigroups + - name: wazuh-manager-worker + mountPath: /var/ossec/integrations + subPath: wazuh/var/ossec/integrations + - name: wazuh-manager-worker + mountPath: /var/ossec/active-response/bin + subPath: wazuh/var/ossec/active-response/bin + - name: wazuh-manager-worker + mountPath: /var/ossec/agentless + subPath: wazuh/var/ossec/agentless + - name: wazuh-manager-worker + mountPath: /var/ossec/wodles + subPath: wazuh/var/ossec/wodles + - name: wazuh-manager-worker + mountPath: /etc/filebeat + subPath: filebeat/etc/filebeat + - name: wazuh-manager-worker + mountPath: /var/lib/filebeat + subPath: filebeat/var/lib/filebeat ports: - containerPort: 1514 name: agents-events - containerPort: 1516 name: cluster - securityContext: - capabilities: - add: ["SYS_CHROOT"] env: - - name: API_USER + - name: ELASTICSEARCH_URL + value: 'https://wazuh-elasticsearch-0.wazuh-elasticsearch:9200' + - name: ELASTIC_USERNAME valueFrom: secretKeyRef: - name: wazuh-api-cred + name: elastic-cred key: username - - name: API_PASS + - name: ELASTIC_PASSWORD valueFrom: secretKeyRef: - name: wazuh-api-cred + name: elastic-cred key: password + - name: FILEBEAT_SSL_VERIFICATION_MODE + value: 'none' + - name: SSL_CERTIFICATE_AUTHORITIES + value: /etc/ssl/root-ca.pem + - name: SSL_CERTIFICATE + value: /etc/ssl/filebeat.pem + - name: SSL_KEY + value: /etc/ssl/filebeat.key - name: WAZUH_CLUSTER_KEY valueFrom: secretKeyRef: @@ -88,4 +144,4 @@ spec: storageClassName: gp2-encrypted-retained resources: requests: - storage: 10Gi + storage: 50Gi diff --git a/wazuh_managers/wazuh-workers-svc.yaml b/wazuh_managers/wazuh-workers-svc.yaml index 56075ee..664621e 100644 --- a/wazuh_managers/wazuh-workers-svc.yaml +++ b/wazuh_managers/wazuh-workers-svc.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2018 Wazuh Inc. +# Copyright (C) 2020 Wazuh Inc. # # This program is a free software; you can redistribute it # and/or modify it under the terms of the GNU General Public diff --git a/wazuh_managers/wazuh_conf/master.conf b/wazuh_managers/wazuh_conf/master.conf new file mode 100644 index 0000000..73efd5c --- /dev/null +++ b/wazuh_managers/wazuh_conf/master.conf @@ -0,0 +1,328 @@ + + + + yes + yes + no + no + no + smtp.example.wazuh.com + ossecm@example.wazuh.com + recipient@example.wazuh.com + 12 + 131072 + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt + + /var/ossec/etc/rootcheck/system_audit_rcl.txt + /var/ossec/etc/rootcheck/system_audit_ssh.txt + + yes + + + + yes + 1800 + 1d + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + yes + 1m + yes + + yes + 1h + + + yes + 1h + + + yes + 1h + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + /sys/kernel/security + /sys/kernel/debug + + + /etc/ssl/private.key + + yes + + + yes + + + yes + + + + + 127.0.0.1 + ^localhost.localdomain$ + 10.66.0.2 + + + + disable-account + disable-account.sh + user + yes + + + + restart-ossec + restart-ossec.sh + + + + + firewall-drop + firewall-drop.sh + srcip + yes + + + + host-deny + host-deny.sh + srcip + yes + + + + route-null + route-null.sh + srcip + yes + + + + win_route-null + route-null.cmd + srcip + yes + + + + win_route-null-2012 + route-null-2012.cmd + srcip + yes + + + + netsh + netsh.cmd + srcip + yes + + + + netsh-win-2016 + netsh-win-2016.cmd + srcip + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-sources + etc/lists/amazon/aws-eventnames + + + etc/decoders + etc/rules + + + + + no + 1515 + no + no + 0 + no + yes + yes + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + /var/ossec/etc/sslmanager.cert + /var/ossec/etc/sslmanager.key + no + + + + wazuh + wazuh-manager-master + master + to_be_replaced_by_cluster_key + 1516 + 0.0.0.0 + + wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local + + no + no + + + + + + syslog + /var/ossec/logs/active-responses.log + + + + syslog + /var/log/syslog + + + + syslog + /var/log/dpkg.log + + \ No newline at end of file diff --git a/wazuh_managers/wazuh_conf/worker.conf b/wazuh_managers/wazuh_conf/worker.conf new file mode 100644 index 0000000..3b2ad73 --- /dev/null +++ b/wazuh_managers/wazuh_conf/worker.conf @@ -0,0 +1,328 @@ + + + + yes + yes + no + no + no + smtp.example.wazuh.com + ossecm@example.wazuh.com + recipient@example.wazuh.com + 12 + 131072 + + + + 3 + 12 + + + + + plain + + + + secure + 1514 + tcp + 131072 + + + + + no + yes + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt + + /var/ossec/etc/rootcheck/system_audit_rcl.txt + /var/ossec/etc/rootcheck/system_audit_ssh.txt + + yes + + + + yes + 1800 + 1d + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + yes + 1m + yes + + yes + 1h + + + yes + 1h + + + yes + 1h + + + + + + no + + + 43200 + + yes + + + yes + + + no + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + /sys/kernel/security + /sys/kernel/debug + + + /etc/ssl/private.key + + yes + + + yes + + + yes + + + + + 127.0.0.1 + ^localhost.localdomain$ + 10.66.0.2 + + + + disable-account + disable-account.sh + user + yes + + + + restart-ossec + restart-ossec.sh + + + + + firewall-drop + firewall-drop.sh + srcip + yes + + + + host-deny + host-deny.sh + srcip + yes + + + + route-null + route-null.sh + srcip + yes + + + + win_route-null + route-null.cmd + srcip + yes + + + + win_route-null-2012 + route-null-2012.cmd + srcip + yes + + + + netsh + netsh.cmd + srcip + yes + + + + netsh-win-2016 + netsh-win-2016.cmd + srcip + yes + + + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-sources + etc/lists/amazon/aws-eventnames + + + etc/decoders + etc/rules + + + + + no + 1515 + no + no + 0 + no + no + yes + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + + no + /var/ossec/etc/sslmanager.cert + /var/ossec/etc/sslmanager.key + no + + + + wazuh + to_be_replaced_by_hostname + worker + to_be_replaced_by_cluster_key + 1516 + 0.0.0.0 + + wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local + + no + no + + + + + + syslog + /var/ossec/logs/active-responses.log + + + + syslog + /var/log/syslog + + + + syslog + /var/log/dpkg.log + + \ No newline at end of file