4979f72 · SOC Automation Lab

Makefile +3 -3

		@@ -7,10 +7,10 @@ down:
		docker compose down

		logs:
	-	docker compose logs -f wazuh-manager
	+	docker compose logs -f wazuh.manager

		restart:
	-	docker compose restart wazuh-manager
	+	docker compose restart wazuh.manager

		shuffle:
		cd shuffle && docker compose up -d
		@@ -19,7 +19,7 @@ ps:
		docker compose ps

		agent-test:
	-	docker compose exec wazuh-manager /var/ossec/bin/wazuh-logtest
	+	docker compose exec wazuh.manager /var/ossec/bin/wazuh-logtest

		clean:
		docker compose down -v

config/wazuh/certs.yml +6 -6

		@@ -1,10 +1,10 @@
		nodes:
		indexer:
	-	- name: wazuh-indexer
	-	ip: wazuh-indexer
	+	- name: wazuh.indexer
	+	ip: wazuh.indexer
		server:
	-	- name: wazuh-manager
	-	ip: wazuh-manager
	+	- name: wazuh.manager
	+	ip: wazuh.manager
		dashboard:
	-	- name: wazuh-dashboard
	-	ip: wazuh-dashboard
	+	- name: wazuh.dashboard
	+	ip: wazuh.dashboard

config/wazuh/dashboard/opensearch_dashboards.yml +15 -0

		@@ -0,0 +1,15 @@
	+	server.host: 0.0.0.0
	+	server.port: 5601
	+	opensearch.hosts: https://wazuh.indexer:9200
	+	opensearch.ssl.verificationMode: certificate
	+	opensearch.username: kibanaserver
	+	opensearch.password: kibanaserver
	+	opensearch.requestHeadersWhitelist:
	+	- securitytenant
	+	- Authorization
	+	server.ssl.enabled: true
	+	server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
	+	server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
	+	opensearch.ssl.certificateAuthorities:
	+	- "/etc/wazuh-dashboard/certs/root-ca.pem"
	+	uiSettings.overrides.defaultRoute: /app/wz-home

config/wazuh/dashboard/wazuh.yml +7 -0

		@@ -0,0 +1,7 @@
	+	hosts:
	+	- default:
	+	url: https://wazuh.manager
	+	port: 55000
	+	username: wazuh-wui
	+	password: changeme-api
	+	run_as: false

config/wazuh/indexer/wazuh.indexer.yml +9 -8

		@@ -1,19 +1,20 @@
		network.host: "0.0.0.0"
	-	node.name: "wazuh-indexer"
	+	node.name: "wazuh.indexer"
	+	compatibility.override_main_response_version: true
		cluster.initial_master_nodes:
	-	- "wazuh-indexer"
	+	- "wazuh.indexer"
		cluster.name: "wazuh-cluster"
		discovery.seed_hosts:
	-	- "wazuh-indexer"
	+	- "wazuh.indexer"
		node.max_local_storage_nodes: "3"
		path.data: /var/lib/wazuh-indexer
		path.logs: /var/log/wazuh-indexer

	-	plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh-indexer.pem
	-	plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh-indexer-key.pem
	+	plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
	+	plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer-key.pem
		plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
	-	plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh-indexer.pem
	-	plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh-indexer-key.pem
	+	plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
	+	plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer-key.pem
		plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
		plugins.security.ssl.http.enabled: true
		plugins.security.ssl.transport.enforce_hostname_verification: false
		@@ -22,7 +23,7 @@ plugins.security.ssl.transport.resolve_hostname: false
		plugins.security.authcz.admin_dn:
		- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
		plugins.security.nodes_dn:
	-	- "CN=wazuh-indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
	+	- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
		plugins.security.restapi.roles_enabled:
		- "all_access"
		- "security_rest_api_access"

config/wazuh/manager/filebeat.yml +22 -0

		@@ -0,0 +1,22 @@
	+	filebeat.modules:
	+	- module: wazuh
	+	alerts:
	+	enabled: true
	+	archives:
	+	enabled: false
	+
	+	setup.template.json.enabled: true
	+	setup.template.json.path: '/etc/filebeat/wazuh-template.json'
	+	setup.template.json.name: 'wazuh'
	+	setup.template.overwrite: true
	+	setup.ilm.enabled: false
	+
	+	output.elasticsearch:
	+	hosts: ['https://wazuh.indexer:9200']
	+	username: ${INDEXER_USERNAME}
	+	password: ${INDEXER_PASSWORD}
	+	ssl.verification_mode: full
	+	ssl.certificate_authorities:
	+	- /etc/ssl/root-ca.pem
	+
	+	logging.metrics.enabled: false

config/wazuh/rules/local_rules.xml +0 -4

		@@ -81,8 +81,6 @@
		<group name="local,cti,threat-intel,">

		<rule id="100210" level="12">
	-	<decoded_as>json</decoded_as>
	-	<field name="dstip" type="pcre2">\S+</field>
		<list field="dstip" lookup="address_match_key">etc/lists/cti-malicious-ip</list>
		<description>Outbound connection to CTI-flagged IP: $(dstip)</description>
		<mitre>
		@@ -91,7 +89,6 @@
		</rule>

		<rule id="100211" level="12">
	-	<field name="win.eventdata.queryName" type="pcre2">\S+</field>
		<list field="win.eventdata.queryName" lookup="match_key">etc/lists/cti-malicious-domain</list>
		<description>DNS query for CTI-flagged domain: $(win.eventdata.queryName)</description>
		<mitre>
		@@ -100,7 +97,6 @@
		</rule>

		<rule id="100212" level="13">
	-	<field name="win.eventdata.hashes" type="pcre2">\S+</field>
		<list field="win.eventdata.sha256" lookup="match_key">etc/lists/cti-malware-hash</list>
		<description>Execution of CTI-flagged malware hash</description>
		<mitre>

docker-compose.yml +22 -18

		@@ -1,9 +1,9 @@
		name: soc-automation-lab

		services:
	-	wazuh-indexer:
	+	wazuh.indexer:
		image: wazuh/wazuh-indexer:4.9.0
	-	hostname: wazuh-indexer
	+	hostname: wazuh.indexer
		restart: always
		ports:
		- "9200:9200"
		@@ -19,26 +19,26 @@ services:
		hard: 65536
		volumes:
		- indexer-data:/var/lib/wazuh-indexer
	-	- ./config/wazuh/certs/wazuh-indexer.pem:/usr/share/wazuh-indexer/certs/wazuh-indexer.pem
	-	- ./config/wazuh/certs/wazuh-indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh-indexer-key.pem
	+	- ./config/wazuh/certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
	+	- ./config/wazuh/certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer-key.pem
		- ./config/wazuh/certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
		- ./config/wazuh/certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
		- ./config/wazuh/certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
		- ./config/wazuh/indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml

	-	wazuh-manager:
	+	wazuh.manager:
		image: wazuh/wazuh-manager:4.9.0
	-	hostname: wazuh-manager
	+	hostname: wazuh.manager
		restart: always
		depends_on:
	-	- wazuh-indexer
	+	- wazuh.indexer
		ports:
		- "1514:1514"
		- "1515:1515"
		- "514:514/udp"
		- "55000:55000"
		environment:
	-	- INDEXER_URL=https://wazuh-indexer:9200
	+	- INDEXER_URL=https://wazuh.indexer:9200
		- INDEXER_USERNAME=${INDEXER_USERNAME}
		- INDEXER_PASSWORD=${INDEXER_PASSWORD}
		- API_USERNAME=${WAZUH_API_USER}
		@@ -51,17 +51,17 @@ services:
		- ./config/wazuh/decoders/local_decoder.xml:/var/ossec/etc/decoders/local_decoder.xml
		- ./integrations/custom-thehive.py:/var/ossec/integrations/custom-thehive.py
		- ./integrations/custom-thehive:/var/ossec/integrations/custom-thehive
	-	- ./config/wazuh/lists/cti-malicious-ip:/var/ossec/etc/lists/cti-malicious-ip
	-	- ./config/wazuh/lists/cti-malicious-domain:/var/ossec/etc/lists/cti-malicious-domain
	-	- ./config/wazuh/lists/cti-malware-hash:/var/ossec/etc/lists/cti-malware-hash
	-	- ./config/wazuh/certs/root-ca.pem:/usr/share/wazuh/certs/root-ca.pem
	+	- ./config/wazuh/certs/root-ca.pem:/etc/ssl/root-ca.pem
	+	- ./config/wazuh/certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
	+	- ./config/wazuh/certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
	+	- ./config/wazuh/manager/filebeat.yml:/etc/filebeat/filebeat.yml

	-	wazuh-dashboard:
	+	wazuh.dashboard:
		image: wazuh/wazuh-dashboard:4.9.0
	-	hostname: wazuh-dashboard
	+	hostname: wazuh.dashboard
		restart: always
		depends_on:
	-	- wazuh-indexer
	+	- wazuh.indexer
		ports:
		- "5601:5601"
		environment:
		@@ -69,10 +69,14 @@ services:
		- INDEXER_PASSWORD=${INDEXER_PASSWORD}
		- DASHBOARD_USERNAME=${DASHBOARD_USERNAME}
		- DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}
	+	- OPENSEARCH_HOSTS=https://wazuh.indexer:9200
	+	- WAZUH_API_URL=https://wazuh.manager
		volumes:
	-	- ./config/wazuh/certs/wazuh-dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
	-	- ./config/wazuh/certs/wazuh-dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
	-	- ./config/wazuh/certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
	+	- ./config/wazuh/dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
	+	- ./config/wazuh/dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml:ro
	+	- ./config/wazuh/certs/wazuh.dashboard.pem:/etc/wazuh-dashboard/certs/dashboard.pem
	+	- ./config/wazuh/certs/wazuh.dashboard-key.pem:/etc/wazuh-dashboard/certs/dashboard-key.pem
	+	- ./config/wazuh/certs/root-ca.pem:/etc/wazuh-dashboard/certs/root-ca.pem

		cassandra:
		image: cassandra:4.1

scripts/deploy.sh +11 -1

		@@ -19,7 +19,7 @@ generate_certs() {
		echo "generating indexer certificates"
		mkdir -p "${CERT_DIR}"
		docker run --rm \
	-	-v "${CERT_DIR}:/certs" \
	+	-v "${CERT_DIR}:/certificates" \
		-v "${ROOT}/config/wazuh/certs.yml:/config/certs.yml:ro" \
		wazuh/wazuh-certs-generator:0.0.2
		chmod 640 "${CERT_DIR}"/*.pem
		@@ -43,9 +43,19 @@ set -a
		source .env
		set +a

	+	seed_cti_lists() {
	+	echo "seeding CTI watchlists into the manager"
	+	for list in cti-malicious-ip cti-malicious-domain cti-malware-hash; do
	+	docker compose cp "config/wazuh/lists/${list}" "wazuh.manager:/var/ossec/etc/lists/${list}"
	+	done
	+	docker compose exec -T wazuh.manager chown -R wazuh:wazuh /var/ossec/etc/lists
	+	docker compose exec -T wazuh.manager /var/ossec/bin/wazuh-control restart >/dev/null
	+	}
	+
		generate_certs
		docker compose up -d
		wait_for_indexer
	+	seed_cti_lists

		cat <<EOF

fix wazuh stack for single-host deploy: dotted naming, cert paths, filebeat/dashboard config, indexer 7.x compat override