From d5556eb3f16a68daf692485e1a744ec20a06341e Mon Sep 17 00:00:00 2001
From: Steven Foerster <steven@cyber5k.com>
Date: Tue, 13 Apr 2021 10:43:39 -0400
Subject: [PATCH] initial

---
 extra/wazuh.yml                         | 101 ++++++++++++++++++++++++
 scripts/services/Mistborn-wazuh.service |  22 ++++++
 scripts/subinstallers/extra/wazuh.sh    |   9 +++
 3 files changed, 132 insertions(+)
 create mode 100644 extra/wazuh.yml
 create mode 100644 scripts/services/Mistborn-wazuh.service
 create mode 100755 scripts/subinstallers/extra/wazuh.sh

diff --git a/extra/wazuh.yml b/extra/wazuh.yml
new file mode 100644
index 0000000..4270a16
--- /dev/null
+++ b/extra/wazuh.yml
@@ -0,0 +1,101 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh:
+    image: wazuh/wazuh-odfe:4.1.4
+    hostname: wazuh-manager
+    restart: unless-stopped
+    ports:
+      - "${MISTBORN_BIND_IP}:1514:1514"
+      - "${MISTBORN_BIND_IP}:1515:1515"
+      - "${MISTBORN_BIND_IP}:514:514/udp"
+      - "${MISTBORN_BIND_IP}:55000:55000"
+    environment:
+      - ELASTICSEARCH_URL=https://wazuhes.mistborn
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+    env_file:
+      - ../.envs/.production/.wazuh
+    volumes:
+      - ossec_api_configuration:/var/ossec/api/configuration
+      - ossec_etc:/var/ossec/etc
+      - ossec_logs:/var/ossec/logs
+      - ossec_queue:/var/ossec/queue
+      - ossec_var_multigroups:/var/ossec/var/multigroups
+      - ossec_integrations:/var/ossec/integrations
+      - ossec_active_response:/var/ossec/active-response/bin
+      - ossec_agentless:/var/ossec/agentless
+      - ossec_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+
+  wazuh-elasticsearch:
+    image: amazon/opendistro-for-elasticsearch:1.12.0
+    hostname: wazuh-elasticsearch
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.wazuhes-http.rule=Host(`wazuhes.mistborn`)"
+      - "traefik.http.routers.wazuhes-http.entrypoints=web"
+      - "traefik.http.routers.wazuhes-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.wazuhes-https.rule=Host(`wazuhes.mistborn`)"
+      - "traefik.http.routers.wazuhes-https.entrypoints=websecure"
+      - "traefik.http.routers.wazuhes-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.wazuhes-https.tls.certresolver=basic"
+      - "traefik.http.services.wazuhes-service.loadbalancer.server.port=9200"
+    #ports:
+    #  - "${MISTBORN_BIND_IP}:9200:9200"
+    environment:
+      - discovery.type=single-node
+      - cluster.name=wazuh-cluster
+      - network.host=0.0.0.0
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+
+  wazuh-kibana:
+    image: wazuh/wazuh-kibana-odfe:4.1.4
+    hostname: wazuh-kibana
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.wazuhk-http.rule=Host(`wazuhk.mistborn`)"
+      - "traefik.http.routers.wazuhk-http.entrypoints=web"
+      - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.wazuhk-https.rule=Host(`wazuhk.mistborn`)"
+      - "traefik.http.routers.wazuhk-https.entrypoints=websecure"
+      - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.wazuhk-https.tls.certresolver=basic"
+      - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601"
+    #ports:
+    #  - "${MISTBORN_BIND_IP}:5601:5601"
+    environment:
+      - SERVER_SSL_ENABLED=false
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
+      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
+    env_file:
+      - ../.envs/.production/.wazuh
+    depends_on:
+      - wazuh-elasticsearch
+    links:
+      - wazuh-elasticsearch:wazuh-elasticsearch
+      - wazuh:wazuh
+
+volumes:
+  ossec_api_configuration:
+  ossec_etc:
+  ossec_logs:
+  ossec_queue:
+  ossec_var_multigroups:
+  ossec_integrations:
+  ossec_active_response:
+  ossec_agentless:
+  ossec_wodles:
+  filebeat_etc:
+  filebeat_var:
diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service
new file mode 100644
index 0000000..aaad8a7
--- /dev/null
+++ b/scripts/services/Mistborn-wazuh.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Mistborn Wazuh Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh
new file mode 100755
index 0000000..952b4ff
--- /dev/null
+++ b/scripts/subinstallers/extra/wazuh.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Wazuh
+WAZUH_PROD_FILE="$1"
+echo "ELASTIC_USERNAME=mistborn" > $WAZUH_PROD_FILE
+echo "ELASTIC_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
+echo "ELASTICSEARCH_USERNAME=mistborn" >> $WAZUH_PROD_FILE
+echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
+chmod 600 $WAZUH_PROD_FILE
\ No newline at end of file