wazuh/wazuh-kubernetes
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-kubernetes.git synced 2025-12-10 00:38:21 -06:00
Code Issues Packages Projects Releases 100 Wiki Activity

First version

Browse Source
This commit is contained in:
Jesus Linares 2018-11-27 14:19:17 -05:00
parent d604974de2
commit f1f8bcfaa6
24 changed files with 2058 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md Normal file
View File

@ -0,0 +1,9 @@
# Change Log
All notable changes to this project will be documented in this file.
## [v3.7.0]
### Added
- Initial version

37
README.md
View File

@ -1,2 +1,35 @@
# wazuh-kubernetes
Wazuh on Kubernetes
# Wazuh Kubernetes
[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
Deploy on Kubernetes a Wazuh cluster with a basic Elastic stack.
## Documentation
The *instructions.md* file describes how to deploy Wazuh on Kubernetes.
## Branches
* `stable` branch on correspond to the last Wazuh stable version.
* `master` branch contains the latest code, be aware of possible bugs on this branch.
## Contribute
If you want to contribute to our project please don't hesitate to send a pull request. You can also join our users [mailing list](https://groups.google.com/d/forum/wazuh), by sending an email to [wazuh+subscribe@googlegroups.com](mailto:wazuh+subscribe@googlegroups.com), to ask questions and participate in discussions.
## Credits and Thank you
Based on the previous work from JPLachance [coveo/wazuh-kubernetes](https://github.com/coveo/wazuh-kubernetes) (2018/11/22).
## License and copyright
WAZUH
Copyright (C) 2016-2018 Wazuh Inc. (License GPLv2)
## References
* [Wazuh website](http://wazuh.com)

2
VERSION Normal file
View File

@ -0,0 +1,2 @@
SAAS_VERSION="v3.7.0"
REVISION="3700"

18
base/aws-gp2-storage-class.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh StorageClass
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: gp2-encrypted-retained
provisioner: kubernetes.io/aws-ebs
parameters:
encrypted: 'true'
type: gp2
reclaimPolicy: Retain # Useful in case you delete the PersistentVolumeClaim

13
base/wazuh-ns.yaml Normal file
View File

@ -0,0 +1,13 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh namespace
apiVersion: v1
kind: Namespace
metadata:
name: wazuh

23
elastic_stack/elasticsearch/elasticsearch-api-svc.yaml Normal file
View File

@ -0,0 +1,23 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Elasticsearch service: API
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
namespace: wazuh
labels:
app: wazuh-elasticsearch
spec:
selector:
app: wazuh-elasticsearch
ports:
- name: es-rest
port: 9200
targetPort: 9200

84
elastic_stack/elasticsearch/elasticsearch-sts.yaml Normal file
View File

@ -0,0 +1,84 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Elasticsearch StatefulSet: Single node.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-elasticsearch
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-elasticsearch
serviceName: wazuh-elasticsearch
template:
metadata:
labels:
app: wazuh-elasticsearch
name: wazuh-elasticsearch
spec:
# Set the wazuh-elasticsearch volume permissions so the elasticsearch user can use it!
initContainers:
- name: volume-mount-hack
image: busybox
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 100m
memory: 256Mi
command:
- sh
- '-c'
- 'chown -R 1000:1000 /usr/share/elasticsearch/data'
volumeMounts:
- name: wazuh-elasticsearch
mountPath: /usr/share/elasticsearch/data
containers:
- name: wazuh-elasticsearch
image: 'docker.elastic.co/elasticsearch/elasticsearch:6.5.0'
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 1
memory: 2Gi
env:
- name: ES_JAVA_OPTS
value: '-Xms1024m -Xmx1024m'
- name: bootstrap.memory_lock
value: 'false'
- name: cluster.name
value: wazuh
- name: network.host
value: 0.0.0.0
- name: node.name
value: node-1
volumeMounts:
- name: wazuh-elasticsearch
mountPath: /usr/share/elasticsearch/data
ports:
- containerPort: 9200
name: es-rest
- containerPort: 9300
name: es-nodes
volumeClaimTemplates:
- metadata:
name: wazuh-elasticsearch
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: gp2-encrypted-retained
resources:
requests:
storage: 30Gi

24
elastic_stack/elasticsearch/elasticsearch-svc.yaml Normal file
View File

@ -0,0 +1,24 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Elasticsearch service: Communications
apiVersion: v1
kind: Service
metadata:
name: wazuh-elasticsearch
namespace: wazuh
labels:
app: wazuh-elasticsearch
spec:
selector:
app: wazuh-elasticsearch
ports:
- name: es-nodes
port: 9300
targetPort: 9300
clusterIP: None

43
elastic_stack/kibana/kibana-deploy.yaml Normal file
View File

@ -0,0 +1,43 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Kibana Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: wazuh-kibana
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-kibana
template:
metadata:
labels:
app: wazuh-kibana
name: wazuh-kibana
spec:
containers:
- name: wazuh-kibana
image: 'wazuh/wazuh-kibana:3.7.0_6.5.0'
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 400m
memory: 1024Mi
ports:
- containerPort: 5601
name: kibana
env:
- name: ELASTICSEARCH_URL
value: 'http://elasticsearch:9200'
- name: NODE_OPTIONS
value: '--max-old-space-size=512'

23
elastic_stack/kibana/kibana-svc.yaml Normal file
View File

@ -0,0 +1,23 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Kibana service
apiVersion: v1
kind: Service
metadata:
name: kibana
namespace: wazuh
labels:
app: wazuh-kibana
spec:
selector:
app: wazuh-kibana
ports:
- name: kibana
port: 5601
targetPort: 5601

41
elastic_stack/kibana/nginx-deploy.yaml Normal file
View File

@ -0,0 +1,41 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Nginx Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: wazuh-nginx
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-nginx
template:
metadata:
labels:
app: wazuh-nginx
name: wazuh-nginx
spec:
containers:
- name: wazuh-nginx
image: 'wazuh/wazuh-nginx:3.7.0_6.5.0'
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
env:
- name: NGINX_PORT
value: '443'
ports:
- containerPort: 80
- containerPort: 443

34
elastic_stack/kibana/nginx-svc.yaml Normal file
View File

@ -0,0 +1,34 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Nginx service
apiVersion: v1
kind: Service
metadata:
name: wazuh-nginx
namespace: wazuh
labels:
app: wazuh-nginx
# dns: route53
annotations:
# domainName: 'wazuh.some-domain.com' # TODO: Change this for a Hosted Zone you configured in AWS Route 53
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'put_your_aws_acm_certificate_arn_here'
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443'
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
spec:
type: LoadBalancer
selector:
app: wazuh-nginx
ports:
- name: web-http
port: 80
targetPort: 80
- name: web-https
port: 443
targetPort: 443

40
elastic_stack/logstash/logstash-deploy.yaml Normal file
View File

@ -0,0 +1,40 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Logstash Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: wazuh-logstash
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-logstash
template:
metadata:
labels:
app: wazuh-logstash
name: wazuh-logstash
spec:
containers:
- name: wazuh-logstash
image: 'wazuh/wazuh-logstash:3.7.0_6.5.0'
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 1
memory: 1.5Gi
env:
- name: LS_JAVA_OPTS
value: '-Xmx1g -Xms512m'
ports:
- containerPort: 5000

23
elastic_stack/logstash/logstash-svc.yaml Normal file
View File

@ -0,0 +1,23 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Logstash Service
apiVersion: v1
kind: Service
metadata:
name: logstash
namespace: wazuh
labels:
app: wazuh-logstash
spec:
selector:
app: wazuh-logstash
ports:
- name: beats
port: 5000
targetPort: 5000

283
instructions.md Normal file
View File

@ -0,0 +1,283 @@
# Usage
This guide describes the necessary steps to deploy Wazuh on Kubernetes.
## Pre-requisites
- Kubernetes cluster already deployed.
- Kubernetes can run on a wide range of Cloud providers and bare-metal environments, this repository is focus on [AWS](https://aws.amazon.com/). It was tested using [Amazon EKS](https://docs.aws.amazon.com/eks). You should be able to:
- Create Persistent Volumes on top of AWS EBS when using a volumeClaimTemplates
- Create a record set in AWS Route 53 from a Kubernetes LoadBalancer.
- Having at least two Kubernetes nodes in order to meet the *podAntiAffinity* policy.
## Overview
### StateFulSet and Deployments Controllers
Like a Deployment, a StatefulSet manages Pods that are based on an identical container specification, but StatefulSet maintains an identity attached to each of its pods. These pods are created from the same specification, but they are not interchangeable: each one has a persistent identifier that it maintains across any rescheduling.
It is useful for stateful applications like databases that save the data to a persistent storage. The states of each Wazuh manager as well as Elasticsearch are desirable to maintain, so we declare them using StatefulSet to ensure that they maintain their states at every startup.
Deployments are intended for stateless use and are quite lightweight and seem to be appropriate for Logstash, Kibana and Nginx, where it is not necessary to maintain the states.
### Pods
#### Wazuh master
This pod contains the master node of the Wazuh cluster. The master node centralizes and coordinates worker nodes, making sure the critical and required data is consistent across all nodes.
The management is performed only in this node, so the agent registration service (authd) and the API are placed here.
Details:
- Image: Docker Hub 'wazuh/wazuh:3.7.0_6.5.0'
- Controller: StatefulSet
#### Wazuh worker 0 / 1
These pods contain a worker node of the Wazuh cluster. They will receive the agent events.
Details:
- Image: Docker Hub 'wazuh/wazuh:3.7.0_6.5.0'
- Controller: StatefulSet
#### Elasticsearch
This pod handles Elasticsearch, receiving and storing alerts received from Logstash.
Details:
- Image: docker.elastic.co/elasticsearch/elasticsearch:6.5.0
- Controller: StatefulSet
#### Logstash
In this pod we maintain Logstash, which receives the alerts from each Filebeat located in each Wazuh manager. Then, the alerts are sent to Elasticsearch.
Details:
- image: Docker Hub 'wazuh/logstash:3.7.0_6.5.0'
- Controller: Deployment
#### Kibana
This pod in in charge of Kibana, it lets you visualize your Elasticsearch data, along with other features as the Wazuh app.
Details:
- image: Docker Hub 'wazuh/kibana:3.7.0_6.5.0'
- Controller: Deployment
#### Nginx
In this pod manages Nginx to act as an reverse proxy for safer use and access to Kibana.
Details:
- image: Docker Hub 'wazuh/nginx:3.7.0_6.5.0'
- Controller: Deployment
### Services
#### Elastic stack
- wazuh-elasticsearch:
- Communication for Elasticsearch nodes.
- elasticsearch:
- Elasticsearch API. Used by Logstash/Kibana to write/read alerts.
- wazuh-nginx:
- Nginx proxy to access Kibana: https://wazuh.your-domain.com:443
- kibana:
- Kibana service.
- Logstash:
- Logstash service, each Manager node has a Filebeat pointing to this service.
#### Wazuh
- wazuh:
- Wazuh API: wazuh-master.your-domain.com:55000
- Agent registration service (authd): wazuh-master.your-domain.com:1515
- wazuh-workers:
- Reporting service: wazuh-manager.your-domain.com:1514
- wazuh-cluster:
- Communication for Wazuh manager nodes.
## Deploy
### Step 1: Deploy Kubernetes
Deploy the Kubernetes cluster is out of the scope of this guide.
This repository is focus on [AWS](https://aws.amazon.com/) but it should be easy to adapt it to another Cloud provider. In case you are using AWS, we recommend [EKS](https://docs.aws.amazon.com/en_us/eks/latest/userguide/getting-started.html).
### Step 2: Create domains to access the services
We recommend creating domains and certificates to access the services. Examples:
- wazuh-master.your-domain.com: Wazuh API and authd registration service.
- wazuh-manager.your-domain.com: Reporting service.
- wazuh.your-domain.com: Kibana and Wazuh app.
Note: You can skip this step and the services will be accessible using the Load balancer DNS from the VPC.
### Step 3: Deployment
Clone this repository to deploy the necessary services and pods.
```BASH
$ git clone https://github.com/wazuh/wazuh-kubernetes.git
$ cd wazuh-kubernetes
```
### Step 3.1: Wazuh namespace and StorageClass
The Wazuh namespace is used to handle all the elements of Kubernetes (services, deployments, pods) necessaries for Wazuh. In addition, it is necessary to create a StorageClass to use AWS EBS storage in our StateFulSet applications.
```BASH
$ kubectl apply -f base/wazuh-ns.yaml
$ kubectl apply -f base/aws-gp2-storage-class.yaml
```
### Step 3.2: Deploy Elasticsearch
Deployment of Elasticsearch.
```BASH
$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-svc.yaml
$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-api-svc.yaml
$ kubectl apply -f elastic_stack/elasticsearch/elasticsearch-sts.yaml
```
### Step 3.3: Deploy Kibana and Nginx
Deployment of Kibana and Nginx.
In case you need to provide a domain name, update the `domainName` annotation value in the [nginx-svc.yaml](nginx-svc.yaml) file before deploying that service. You should also set a valid AWS ACM certificate ARN in the [nginx-svc.yaml](nginx-svc.yaml) for the `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` annotation. That certificate should match with the `domainName`.
```BASH
$ kubectl apply -f elastic_stack/kibana/kibana-svc.yaml
$ kubectl apply -f elastic_stack/kibana/nginx-svc.yaml
$ kubectl apply -f elastic_stack/kibana/kibana-deploy.yaml
$ kubectl apply -f elastic_stack/kibana/nginx-deploy.yaml
```
### Step 3.4: Deploy Logstash
Deployment of Logstash
```BASH
$ kubectl apply -f elastic_stack/logstash/logstash-svc.yaml
$ kubectl apply -f elastic_stack/logstash/logstash-deploy.yaml
```
### Step 3.5: Deploy Wazuh
Deployment of Wazuh cluster.
In case you need to provide a domain name, update the `domainName` annotation value in both the [wazuh-master-svc.yaml](wazuh-master-svc.yaml) and the [wazuh-workers-svc.yaml](wazuh-workers-svc.yaml) files before deploying those services. You should also set a valid AWS ACM certificate ARN in the [wazuh-api-svc.yaml](wazuh-api-svc.yaml) for the `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` annotation. That certificate should match with the `domainName`.
```BASH
$ kubectl apply -f wazuh_managers/wazuh-master-svc.yaml
$ kubectl apply -f wazuh_managers/wazuh-cluster-svc.yaml
$ kubectl apply -f wazuh_managers/wazuh-workers-svc.yaml
$ kubectl apply -f wazuh_managers/wazuh-master-conf.yaml
$ kubectl apply -f wazuh_managers/wazuh-worker-0-conf.yaml
$ kubectl apply -f wazuh_managers/wazuh-worker-1-conf.yaml
$ kubectl apply -f wazuh_managers/wazuh-master-sts.yaml
$ kubectl apply -f wazuh_managers/wazuh-worker-0-sts.yaml
$ kubectl apply -f wazuh_managers/wazuh-worker-1-sts.yaml
```
### Verifying the deployment
#### Namespace
```BASH
$ kubectl get namespaces | grep wazuh
wazuh Active 12m
```
#### Services
```BASH
$ kubectl get services -n wazuh
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch ClusterIP xxx.yy.zzz.24 <none> 9200/TCP 12m
kibana ClusterIP xxx.yy.zzz.76 <none> 5601/TCP 11m
logstash ClusterIP xxx.yy.zzz.41 <none> 5000/TCP 10m
wazuh LoadBalancer xxx.yy.zzz.209 internal-a7a8... 1515:32623/TCP,55000:30283/TCP 9m
wazuh-cluster ClusterIP None <none> 1516/TCP 9m
wazuh-elasticsearch ClusterIP None <none> 9300/TCP 12m
wazuh-nginx LoadBalancer xxx.yy.zzz.223 internal-a3b1... 80:31831/TCP,443:30974/TCP 11m
wazuh-workers LoadBalancer xxx.yy.zzz.26 internal-a7f9... 1514:31593/TCP 9m
```
#### Deployments
```BASH
$ kubectl get deployments -n wazuh
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
wazuh-kibana 1 1 1 1 11m
wazuh-logstash 1 1 1 1 10m
wazuh-nginx 1 1 1 1 11m
```
#### Statefulsets
```BASH
$ kubectl get statefulsets -n wazuh
NAME DESIRED CURRENT AGE
wazuh-elasticsearch 1 1 13m
wazuh-manager-master 1 1 9m
wazuh-manager-worker-0 1 1 9m
wazuh-manager-worker-1 1 1 9m
```
#### Pods
```BASH
$ kubectl get pods -n wazuh
NAME READY STATUS RESTARTS AGE
wazuh-elasticsearch-0 1/1 Running 0 15m
wazuh-kibana-f4d9c7944-httsd 1/1 Running 0 14m
wazuh-logstash-777b7cd47b-7cxfq 1/1 Running 0 13m
wazuh-manager-master-0 1/1 Running 0 12m
wazuh-manager-worker-0-0 1/1 Running 0 11m
wazuh-manager-worker-1-0 1/1 Running 0 11m
wazuh-nginx-748fb8494f-xwwhw 1/1 Running 0 14m
```
#### Accessing Kibana
In case you created domain names for the services, you should be able to access Kibana using the proposed domain name: https://wazuh.your-domain.com.
Also, you can access using the External-IP (from the VPC): https://internal-xxx-yyy.us-east-1.elb.amazonaws.com:443
```BASH
$ kubectl get services -o wide -n wazuh
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
wazuh-nginx LoadBalancer xxx.xx.xxx.xxx internal-xxx-yyy.us-east-1.elb.amazonaws.com 80:31831/TCP,443:30974/TCP 15m app=wazuh-nginx
```
## Agents
### Monitoring hosts
Wazuh agents are designed to monitor hosts. Just register the agent using the registration service, then configure the agent to use the reporting service.
### Monitoring containers
In this case, we have 2 options:
- Running the agent in the container: containers are sealed and designed to run a single process. It is not practicable solution.
- Install the agent on the host: This is the option that we recommend since the agent was originally designed for this purpose.
We are researching if the agent is able to run as a *DaemonSet* container. A *DaemonSet* is a special type of Pod which is logically guaranteed to run on each Kubernetes node. This kind of agent will have access only to its container, so we should mount volumes used by other containers to monitor logs, files, etc.

24
wazuh_managers/wazuh-cluster-svc.yaml Normal file
View File

@ -0,0 +1,24 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh cluster Service: Manager nodes communication
apiVersion: v1
kind: Service
metadata:
name: wazuh-cluster
namespace: wazuh
labels:
app: wazuh-manager
spec:
selector:
app: wazuh-manager
ports:
- name: wazuh-clusterd
port: 1516
targetPort: 1516
clusterIP: None

347
wazuh_managers/wazuh-master-conf.yaml Normal file
View File

@ -0,0 +1,347 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh master conf
apiVersion: v1
kind: ConfigMap
metadata:
name: wazuh-manager-master-conf
namespace: wazuh
data:
# /var/ossec/etc-template/ossec.conf
ossec.conf: |-
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, master node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<queue_size>131072</queue_size>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd
To enable this service, run:
ossec-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>no</force_insert>
<force_time>0</force_time>
<purge>no</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>wazuh-manager-master</node_name>
<node_type>master</node_type>
<!-- TODO: Don't hardcode the key! (and change it) -->
<key>123a45bc67def891gh23i45jk67l8mn9</key>
<interval>10s</interval>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

70
wazuh_managers/wazuh-master-sts.yaml Normal file
View File

@ -0,0 +1,70 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh master StatefulSet
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-manager-master
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-manager
node-type: master
serviceName: wazuh-cluster
podManagementPolicy: Parallel
template:
metadata:
labels:
app: wazuh-manager
node-type: master
name: wazuh-manager-master
spec:
volumes:
- name: config
configMap:
name: wazuh-manager-master-conf
containers:
- name: wazuh-manager
image: 'wazuh/wazuh:3.7.0_6.5.0'
resources:
requests:
cpu: 500m
memory: 256Mi
limits:
cpu: 1
memory: 512Mi
volumeMounts:
- name: config
mountPath: /wazuh-config-mount/etc/ossec.conf
subPath: ossec.conf
readOnly: true
- name: wazuh-manager-master
mountPath: /var/ossec/data
- name: wazuh-manager-master
mountPath: /etc/postfix
ports:
- containerPort: 1515
name: ossec-authd
- containerPort: 1516
name: wazuh-clusterd
- containerPort: 55000
name: wazuh-api
volumeClaimTemplates:
- metadata:
name: wazuh-manager-master
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: gp2-encrypted-retained
resources:
requests:
storage: 10Gi

35
wazuh_managers/wazuh-master-svc.yaml Normal file
View File

@ -0,0 +1,35 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh master Service: API and registration (authd)
apiVersion: v1
kind: Service
metadata:
name: wazuh # Don't change, unless you update the Wazuh Kibana app config
namespace: wazuh
labels:
app: wazuh-manager
# dns: route53
annotations:
# domainName: 'wazuh-master.some-domain.com' # TODO: Change this for a Hosted Zone you configured in AWS Route 53
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'put_your_aws_acm_certificate_arn_here' # TODO: Change this for the certificate for your Hosted Zone
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '55000'
spec:
type: LoadBalancer
selector:
app: wazuh-manager
node-type: master
ports:
- name: ossec-authd
port: 1515
targetPort: 1515
- name: wazuh-api
port: 55000
targetPort: 55000

347
wazuh_managers/wazuh-worker-0-conf.yaml Normal file
View File

@ -0,0 +1,347 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh worker conf: 0
apiVersion: v1
kind: ConfigMap
metadata:
name: wazuh-manager-worker-0-conf
namespace: wazuh
data:
# /var/ossec/etc-template/ossec.conf
ossec.conf: |-
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, worker node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<queue_size>131072</queue_size>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd
To enable this service, run:
ossec-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>no</force_insert>
<force_time>0</force_time>
<purge>no</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>wazuh-manager-worker-0</node_name>
<node_type>worker</node_type>
<!-- TODO: Don't hardcode the key! (and change it) -->
<key>123a45bc67def891gh23i45jk67l8mn9</key>
<interval>10s</interval>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

82
wazuh_managers/wazuh-worker-0-sts.yaml Normal file
View File

@ -0,0 +1,82 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh worker StatefulSet: 0
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-manager-worker-0
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-manager
node-type: worker
sts-id: '0'
serviceName: wazuh-cluster
podManagementPolicy: Parallel
template:
metadata:
labels:
app: wazuh-manager
node-type: worker
sts-id: '0'
name: wazuh-manager-worker-0
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: sts-id
operator: In
values:
- '1'
topologyKey: kubernetes.io/hostname
volumes:
- name: config
configMap:
name: wazuh-manager-worker-0-conf
containers:
- name: wazuh-manager
image: 'wazuh/wazuh:3.7.0_6.5.0'
resources:
requests:
cpu: 500m
memory: 256Mi
limits:
cpu: 1
memory: 512Mi
volumeMounts:
- name: config
mountPath: /wazuh-config-mount/etc/ossec.conf
subPath: ossec.conf
readOnly: true
- name: wazuh-manager-worker
mountPath: /var/ossec/data
- name: wazuh-manager-worker
mountPath: /etc/postfix
ports:
- containerPort: 1514
name: agents-events
- containerPort: 1516
name: wazuh-clusterd
volumeClaimTemplates:
- metadata:
name: wazuh-manager-worker
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: gp2-encrypted-retained
resources:
requests:
storage: 10Gi

347
wazuh_managers/wazuh-worker-1-conf.yaml Normal file
View File

@ -0,0 +1,347 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh worker conf: 1
apiVersion: v1
kind: ConfigMap
metadata:
name: wazuh-manager-worker-1-conf
namespace: wazuh
data:
# /var/ossec/etc-template/ossec.conf
ossec.conf: |-
<!--
Wazuh - Manager - Default configuration for ubuntu 16.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
Customization: TCP on port 1514
Customization: Cluster mode enabled, worker node
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<queue_size>131072</queue_size>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.66.0.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-sources</list>
<list>etc/lists/amazon/aws-eventnames</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Configuration for ossec-authd
To enable this service, run:
ossec-control enable auth
-->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>no</force_insert>
<force_time>0</force_time>
<purge>no</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>wazuh-manager-worker-1</node_name>
<node_type>worker</node_type>
<!-- TODO: Don't hardcode the key! (and change it) -->
<key>123a45bc67def891gh23i45jk67l8mn9</key>
<interval>10s</interval>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

82
wazuh_managers/wazuh-worker-1-sts.yaml Normal file
View File

@ -0,0 +1,82 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh worker StatefulSet: 1
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: wazuh-manager-worker-1
namespace: wazuh
spec:
replicas: 1
selector:
matchLabels:
app: wazuh-manager
node-type: worker
sts-id: '1'
serviceName: wazuh-cluster
podManagementPolicy: Parallel
template:
metadata:
labels:
app: wazuh-manager
node-type: worker
sts-id: '1'
name: wazuh-manager-worker-1
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: sts-id
operator: In
values:
- '0'
topologyKey: kubernetes.io/hostname
volumes:
- name: config
configMap:
name: wazuh-manager-worker-1-conf
containers:
- name: wazuh-manager
image: 'wazuh/wazuh:3.7.0_6.5.0'
resources:
requests:
cpu: 500m
memory: 256Mi
limits:
cpu: 1
memory: 512Mi
volumeMounts:
- name: config
mountPath: /wazuh-config-mount/etc/ossec.conf
subPath: ossec.conf
readOnly: true
- name: wazuh-manager-worker
mountPath: /var/ossec/data
- name: wazuh-manager-worker
mountPath: /etc/postfix
ports:
- containerPort: 1514
name: agents-events
- containerPort: 1516
name: wazuh-clusterd
volumeClaimTemplates:
- metadata:
name: wazuh-manager-worker
namespace: wazuh
spec:
accessModes:
- ReadWriteOnce
storageClassName: gp2-encrypted-retained
resources:
requests:
storage: 10Gi

29
wazuh_managers/wazuh-workers-svc.yaml Normal file
View File

@ -0,0 +1,29 @@
# Copyright (C) 2018 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
# Wazuh workers service: Agent reporting
apiVersion: v1
kind: Service
metadata:
name: wazuh-workers
namespace: wazuh
labels:
app: wazuh-manager
# dns: route53
annotations:
# domainName: 'wazuh-manager.some-domain.com' # TODO: Change this for a Hosted Zone you configured in AWS Route 53
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
type: LoadBalancer
selector:
app: wazuh-manager
node-type: worker
ports:
- name: agents-events
port: 1514
targetPort: 1514