docker-compose.yml · SOC Automation Lab

152 lines · yaml

name: soc-automation-lab
 
services:
  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.9.0
    hostname: wazuh.indexer
    restart: always
    ports:
      - "9200:9200"
    environment:
      - OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g
      - bootstrap.memory_lock=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh/certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - ./config/wazuh/certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer-key.pem
      - ./config/wazuh/certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh/certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh/certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - ./config/wazuh/indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
 
  wazuh.manager:
    image: wazuh/wazuh-manager:4.9.0
    hostname: wazuh.manager
    restart: always
    depends_on:
      - wazuh.indexer
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=${INDEXER_USERNAME}
      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
      - API_USERNAME=${WAZUH_API_USER}
      - API_PASSWORD=${WAZUH_API_PASSWORD}
    volumes:
      - manager-config:/var/ossec/etc
      - manager-logs:/var/ossec/logs
      - ./config/wazuh/manager/ossec.conf:/wazuh-config-mount/etc/ossec.conf
      - ./config/wazuh/rules/local_rules.xml:/var/ossec/etc/rules/local_rules.xml
      - ./config/wazuh/decoders/local_decoder.xml:/var/ossec/etc/decoders/local_decoder.xml
      - ./integrations/custom-thehive.py:/var/ossec/integrations/custom-thehive.py
      - ./integrations/custom-thehive:/var/ossec/integrations/custom-thehive
      - ./config/wazuh/certs/root-ca.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh/certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh/certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh/manager/filebeat.yml:/etc/filebeat/filebeat.yml
 
  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.9.0
    hostname: wazuh.dashboard
    restart: always
    depends_on:
      - wazuh.indexer
    ports:
      - "5601:5601"
    environment:
      - INDEXER_USERNAME=${INDEXER_USERNAME}
      - INDEXER_PASSWORD=${INDEXER_PASSWORD}
      - DASHBOARD_USERNAME=${DASHBOARD_USERNAME}
      - DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
      - OPENSEARCH_HOSTS=https://wazuh.indexer:9200
      - WAZUH_API_URL=https://wazuh.manager
    volumes:
      - ./config/wazuh/dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh/dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml:ro
      - ./config/wazuh/certs/wazuh.dashboard.pem:/etc/wazuh-dashboard/certs/dashboard.pem
      - ./config/wazuh/certs/wazuh.dashboard-key.pem:/etc/wazuh-dashboard/certs/dashboard-key.pem
      - ./config/wazuh/certs/root-ca.pem:/etc/wazuh-dashboard/certs/root-ca.pem
 
  cassandra:
    image: cassandra:4.1
    hostname: cassandra
    restart: always
    environment:
      - MAX_HEAP_SIZE=1024M
      - HEAP_NEWSIZE=1024M
      - CASSANDRA_CLUSTER_NAME=thehive
    volumes:
      - cassandra-data:/var/lib/cassandra
 
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.20
    hostname: elasticsearch
    restart: always
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - es-data:/usr/share/elasticsearch/data
 
  cortex:
    image: thehiveproject/cortex:3.1.8
    hostname: cortex
    restart: always
    depends_on:
      - elasticsearch
    ports:
      - "${CORTEX_PORT}:9001"
    environment:
      - job_directory=/tmp/cortex-jobs
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - cortex-jobs:/tmp/cortex-jobs
 
  thehive:
    image: strangebee/thehive:5.4.0-1
    hostname: thehive
    restart: always
    depends_on:
      - cassandra
      - elasticsearch
      - cortex
    ports:
      - "${THEHIVE_PORT}:9000"
    command:
      - --secret
      - ${THEHIVE_SECRET}
      - "--cql-hostnames"
      - cassandra
      - "--index-backend"
      - elasticsearch
      - "--es-hostnames"
      - elasticsearch
      - "--cortex-hostnames"
      - cortex
    volumes:
      - thehive-data:/opt/thp/thehive/data
 
volumes:
  indexer-data:
  manager-config:
  manager-logs:
  cassandra-data:
  es-data:
  cortex-jobs:
  thehive-data:

1	name: soc-automation-lab
2
3	services:
4	wazuh.indexer:
5	image: wazuh/wazuh-indexer:4.9.0
6	hostname: wazuh.indexer
7	restart: always
8	ports:
9	- "9200:9200"
10	environment:
11	- OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g
12	- bootstrap.memory_lock=true
13	ulimits:
14	memlock:
15	soft: -1
16	hard: -1
17	nofile:
18	soft: 65536
19	hard: 65536
20	volumes:
21	- indexer-data:/var/lib/wazuh-indexer
22	- ./config/wazuh/certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
23	- ./config/wazuh/certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer-key.pem
24	- ./config/wazuh/certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
25	- ./config/wazuh/certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
26	- ./config/wazuh/certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
27	- ./config/wazuh/indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
28
29	wazuh.manager:
30	image: wazuh/wazuh-manager:4.9.0
31	hostname: wazuh.manager
32	restart: always
33	depends_on:
34	- wazuh.indexer
35	ports:
36	- "1514:1514"
37	- "1515:1515"
38	- "514:514/udp"
39	- "55000:55000"
40	environment:
41	- INDEXER_URL=https://wazuh.indexer:9200
42	- INDEXER_USERNAME=${INDEXER_USERNAME}
43	- INDEXER_PASSWORD=${INDEXER_PASSWORD}
44	- API_USERNAME=${WAZUH_API_USER}
45	- API_PASSWORD=${WAZUH_API_PASSWORD}
46	volumes:
47	- manager-config:/var/ossec/etc
48	- manager-logs:/var/ossec/logs
49	- ./config/wazuh/manager/ossec.conf:/wazuh-config-mount/etc/ossec.conf
50	- ./config/wazuh/rules/local_rules.xml:/var/ossec/etc/rules/local_rules.xml
51	- ./config/wazuh/decoders/local_decoder.xml:/var/ossec/etc/decoders/local_decoder.xml
52	- ./integrations/custom-thehive.py:/var/ossec/integrations/custom-thehive.py
53	- ./integrations/custom-thehive:/var/ossec/integrations/custom-thehive
54	- ./config/wazuh/certs/root-ca.pem:/etc/ssl/root-ca.pem
55	- ./config/wazuh/certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
56	- ./config/wazuh/certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
57	- ./config/wazuh/manager/filebeat.yml:/etc/filebeat/filebeat.yml
58
59	wazuh.dashboard:
60	image: wazuh/wazuh-dashboard:4.9.0
61	hostname: wazuh.dashboard
62	restart: always
63	depends_on:
64	- wazuh.indexer
65	ports:
66	- "5601:5601"
67	environment:
68	- INDEXER_USERNAME=${INDEXER_USERNAME}
69	- INDEXER_PASSWORD=${INDEXER_PASSWORD}
70	- DASHBOARD_USERNAME=${DASHBOARD_USERNAME}
71	- DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
72	- OPENSEARCH_HOSTS=https://wazuh.indexer:9200
73	- WAZUH_API_URL=https://wazuh.manager
74	volumes:
75	- ./config/wazuh/dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
76	- ./config/wazuh/dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml:ro
77	- ./config/wazuh/certs/wazuh.dashboard.pem:/etc/wazuh-dashboard/certs/dashboard.pem
78	- ./config/wazuh/certs/wazuh.dashboard-key.pem:/etc/wazuh-dashboard/certs/dashboard-key.pem
79	- ./config/wazuh/certs/root-ca.pem:/etc/wazuh-dashboard/certs/root-ca.pem
80
81	cassandra:
82	image: cassandra:4.1
83	hostname: cassandra
84	restart: always
85	environment:
86	- MAX_HEAP_SIZE=1024M
87	- HEAP_NEWSIZE=1024M
88	- CASSANDRA_CLUSTER_NAME=thehive
89	volumes:
90	- cassandra-data:/var/lib/cassandra
91
92	elasticsearch:
93	image: docker.elastic.co/elasticsearch/elasticsearch:7.17.20
94	hostname: elasticsearch
95	restart: always
96	environment:
97	- discovery.type=single-node
98	- xpack.security.enabled=false
99	- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
100	ulimits:
101	memlock:
102	soft: -1
103	hard: -1
104	volumes:
105	- es-data:/usr/share/elasticsearch/data
106
107	cortex:
108	image: thehiveproject/cortex:3.1.8
109	hostname: cortex
110	restart: always
111	depends_on:
112	- elasticsearch
113	ports:
114	- "${CORTEX_PORT}:9001"
115	environment:
116	- job_directory=/tmp/cortex-jobs
117	volumes:
118	- /var/run/docker.sock:/var/run/docker.sock
119	- cortex-jobs:/tmp/cortex-jobs
120
121	thehive:
122	image: strangebee/thehive:5.4.0-1
123	hostname: thehive
124	restart: always
125	depends_on:
126	- cassandra
127	- elasticsearch
128	- cortex
129	ports:
130	- "${THEHIVE_PORT}:9000"
131	command:
132	- --secret
133	- ${THEHIVE_SECRET}
134	- "--cql-hostnames"
135	- cassandra
136	- "--index-backend"
137	- elasticsearch
138	- "--es-hostnames"
139	- elasticsearch
140	- "--cortex-hostnames"
141	- cortex
142	volumes:
143	- thehive-data:/opt/thp/thehive/data
144
145	volumes:
146	indexer-data:
147	manager-config:
148	manager-logs:
149	cassandra-data:
150	es-data:
151	cortex-jobs:
152	thehive-data: