Re: Script on docker deployment.

[Carles Lobón Quílez]

I forgot to mention the entrypoint script. Here it is:

#!/bin/bash

# Install Python and dependencies if not already installed

echo "[$(date)] Checking and installing Python dependencies..."

if ! command -v pip3 &> /dev/null; then

echo "[$(date)] Installing pip and Python development tools..."

yum -y update

yum -y install python3-pip python3-devel gcc

fi

# Install Python dependencies

echo "[$(date)] Installing Python requirements..."

pip3 install -r /wazuh-config-mount/requirements.txt

# Create scripts directory if needed

if [ ! -d "/var/ossec/scripts" ]; then

echo "[$(date)] Creating /var/ossec/scripts directory..."

mkdir -p /var/ossec/scripts

fi

# Copy the update script to the proper location

echo "[$(date)] Copying update script..."

cp /wazuh-config-mount/update.py /var/ossec/scripts/update.py

chmod +x /var/ossec/scripts/update.py

# Update the CDB lists initially

echo "[$(date)] Running initial list update..."

cd /var/ossec/scripts && python3 update.py

UPDATE_RESULT=$?

if [ $UPDATE_RESULT -eq 0 ]; then

echo "[$(date)] Lists updated successfully"

else

echo "[$(date)] Warning: Failed to update list files: $UPDATE_RESULT"

echo "[$(date)] Will continue with existing lists"

fi

Missatge de Carles Lobón Quílez <carles...@estudiantat.upc.edu> del dia dl., 14 d’abr. 2025 a les 9:21:

Hi,

I'm having trouble on executing a script on the manager. I have some lists of malign IPs, hashes... that I would like to use in order to update some CDB lists. However, I keep getting errors.

Here is my docker-compose:

wazuh.manager:

image: wazuh/wazuh-manager:4.11.2

hostname: wazuh.manager

restart: on-failure

ulimits:

memlock:

soft: -1

hard: -1

nofile:

soft: 655360

hard: 655360

ports:

- "1514:1514"

- "1515:1515"

- "514:514/udp"

- "55000:55000"

environment:

- INDEXER_URL=https://wazuh.indexer:9200

- INDEXER_USERNAME=admin

- INDEXER_PASSWORD=SecretPassword

- FILEBEAT_SSL_VERIFICATION_MODE=full

- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem

- SSL_CERTIFICATE=/etc/ssl/filebeat.pem

- SSL_KEY=/etc/ssl/filebeat.key

- API_USERNAME=wazuh-wui

- API_PASSWORD=MyS3cr37P450r.*-

volumes:

- wazuh_api_configuration:/var/ossec/api/configuration

- wazuh_etc:/var/ossec/etc

- wazuh_logs:/var/ossec/logs

- wazuh_queue:/var/ossec/queue

- wazuh_var_multigroups:/var/ossec/var/multigroups

- wazuh_integrations:/var/ossec/integrations

- wazuh_active_response:/var/ossec/active-response/bin

- wazuh_agentless:/var/ossec/agentless

- wazuh_wodles:/var/ossec/wodles

- filebeat_etc:/etc/filebeat

- filebeat_var:/var/lib/filebeat

- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem

- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem

- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key

- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

- ./config/wazuh_rules/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml

- ./config/wazuh_lists/ipv4:/wazuh-config-mount/etc/lists/ipv4

- ./config/wazuh_lists/ipv6:/wazuh-config-mount/etc/lists/ipv6

- ./config/wazuh_lists/hashmd5:/wazuh-config-mount/etc/lists/hashmd5

- ./config/wazuh_lists/hashsha1:/wazuh-config-mount/etc/lists/hashsha1

- ./config/wazuh_lists/hashsha256:/wazuh-config-mount/etc/lists/hashsha256

- ./config/wazuh_lists/urls:/wazuh-config-mount/etc/lists/urls

- ./config/updates/update.py:/wazuh-config-mount/update.py

- ./config/updates/entrypoint-override.sh:/wazuh-config-mount/entrypoint-override.sh

- ./config/updates/requirements.txt:/wazuh-config-mount/requirements.txt

networks:

- wazuh_network

entrypoint: ["/wazuh-config-mount/entrypoint-override.sh"]

Here is my update.py:

import requests

import sys

import os

# URL and Authorization token

general_url = "http://backend:8000/api/v1/"

auth_token = ""

headers = {

"Authorization": f"Token {auth_token}",

}

output_folder = "/var/ossec/etc/lists"

def error_message(endpoint, error_code, error_message):

print(f"ERROR: {endpoint} returned {error_code}: {error_message}")

def details_error(response):

try:

print(f"Response headers: {dict(response.headers)}")

print(f"Response text: {response.text[:1000]}")

try:

error_data = response.json()

if isinstance(error_data, dict):

if 'errors' in error_data:

return "\n".join([error.get('detail', str(error)) for error in error_data.get('errors', [])])

elif 'detail' in error_data:

return error_data['detail']

else:

return str(error_data)

return str(error_data)

except ValueError:

return response.text

except Exception as e:

return f"Error parsing response: {str(e)}"

def update_ipv4_list():

response = requests.get(

general_url + "ip/",

params={"type": "IPv4"},

headers=headers

)

if response.status_code == 200:

ip_data = response.json()

output_ipv4_file = os.path.join(output_folder, "ipv4.cdb")

ipv4_addresses = [entry['value'] for entry in ip_data]

try:

with open(output_ipv4_file, "w") as file:

for ip in ipv4_addresses:

file.write(f"{ip}:\n")

print(f"Successfully wrote IPv4 IPs to {output_ipv4_file}")

except Exception as e:

error_message("No endpoint", "No status code", f"Error writing to file: {e}")

else:

error_message(f"{general_url}ip/?type=IPv4", response.status_code, details_error(response))

def update_ipv6_list():

response = requests.get(

general_url + "ip/",

params={"type": "IPv6"},

headers=headers

)

if response.status_code == 200:

ip_data = response.json()

output_ipv6_file = os.path.join(output_folder, "ipv6.cdb")

ipv6_addresses = [entry['value'] for entry in ip_data]

try:

with open(output_ipv6_file, "w") as file:

for ip in ipv6_addresses:

file.write(f"{ip}:\n")

print(f"Successfully wrote IPv6 IPs to {output_ipv6_file}")

except Exception as e:

error_message("No endpoint", "No status code", f"Error writing to file: {e}")

else:

error_message(f"{general_url}ip/?type=IPv6", response.status_code, details_error(response))

def update_hashmd5_list():

response = requests.get(

general_url + "hash/",

params={"type": "FileHash-MD5"},

headers=headers

)

if response.status_code == 200:

hash_data = response.json()

output_hashmd5_file = os.path.join(output_folder, "hashmd5.cdb")

hashmd5_hashes = [entry['value'] for entry in hash_data]

try:

with open(output_hashmd5_file, "w") as file:

for hash in hashmd5_hashes:

file.write(f"{hash}:\n")

print(f"Successfully wrote MD5 hashes to {output_hashmd5_file}")

except Exception as e:

error_message("No endpoint", "No status code", f"Error writing to file: {e}")

else:

error_message(f"{general_url}hash/?type=FileHash-MD5", response.status_code, details_error(response))

def update_hashsha1_list():

response = requests.get(

general_url + "hash/",

params={"type": "FileHash-SHA1"},

headers=headers

)

if response.status_code == 200:

hash_data = response.json()

output_hashsha1_file = os.path.join(output_folder, "hashsha1.cdb")

hashsha1_hashes = [entry['value'] for entry in hash_data]

try:

with open(output_hashsha1_file, "w") as file:

for hash in hashsha1_hashes:

file.write(f"{hash}:\n")

print(f"Successfully wrote SHA1 hashes to {output_hashsha1_file}")

except Exception as e:

error_message("No endpoint", "No status code", f"Error writing to file: {e}")

else:

error_message(f"{general_url}hash/?type=FileHash-SHA1", response.status_code, details_error(response))

def update_hashsha256_list():

response = requests.get(

general_url + "hash/",

params={"type": "FileHash-SHA256"},

headers=headers

)

if response.status_code == 200:

hash_data = response.json()

output_hashsha256_file = os.path.join(output_folder, "hashsha256.cdb")

hashsha256_hashes = [entry['value'] for entry in hash_data]

try:

with open(output_hashsha256_file, "w") as file:

for hash in hashsha256_hashes:

file.write(f"{hash}:\n")

print(f"Successfully wrote SHA256 hashes to {output_hashsha256_file}")

except Exception as e:

error_message("No endpoint", "No status code", f"Error writing to file: {e}")

else:

error_message(f"{general_url}hash/?type=FileHash-SHA256", response.status_code, details_error(response))

def update_urls_lists():

response = requests.get(

general_url + "url/",

headers=headers

)

if response.status_code == 200:

url_data = response.json()

output_urls_file = os.path.join(output_folder, "urls.cdb")

urls = [entry['value'] for entry in url_data]

try:

with open(output_urls_file, "w") as file:

for url in urls:

file.write(f"{url}:\n")

print(f"Successfully wrote URLs to {output_urls_file}")

except Exception as e:

error_message("No endpoint", "No status code", f"Error writing to file: {e}")

else:

error_message(f"{general_url}url/", response.status_code, details_error(response))

def run_wazuh_command(command):

"""Run a Wazuh command and return the result"""

try:

import subprocess

result = subprocess.run(command, shell=True, check=True, capture_output=True, text=True)

return result.stdout

except subprocess.CalledProcessError as e:

print(f"Command failed with exit code {e.returncode}: {e.stderr}")

return None

def restart_wazuh_if_needed():

"""Restart Wazuh if needed to apply changes to the lists"""

try:

result = run_wazuh_command("/var/ossec/bin/wazuh-control status")

if "is running" in result:

print("Restarting Wazuh to apply list changes...")

run_wazuh_command("/var/ossec/bin/wazuh-control restart")

print("Wazuh restarted successfully")

else:

print("Wazuh is not running, no need to restart")

except Exception as e:

print(f"Error checking/restarting Wazuh: {e}")

if __name__ == "__main__":

# If we get here, backend is available, run the update functions

try:

update_ipv4_list()

update_ipv6_list()

update_hashmd5_list()

update_hashsha1_list()

update_hashsha256_list()

update_urls_lists()

restart_wazuh_if_needed()

except Exception as e:

print(f"Error during update: {e}")

# Still exit with success to avoid affecting Wazuh startup

sys.exit(1)

This are some of the log error:

ERROR: No endpoint returned No status code: Error writing to file: [Errno 2] No such file or directory: '/var/ossec/etc/lists/ipv4.cdb'
ERROR: No endpoint returned No status code: Error writing to file: [Errno 2] No such file or directory: '/var/ossec/etc/lists/ipv6.cdb'
ERROR: No endpoint returned No status code: Error writing to file: [Errno 2] No such file or directory: '/var/ossec/etc/lists/hashmd5.cdb'
ERROR: No endpoint returned No status code: Error writing to file: [Errno 2] No such file or directory: '/var/ossec/etc/lists/hashsha1.cdb'
ERROR: No endpoint returned No status code: Error writing to file: [Errno 2] No such file or directory: '/var/ossec/etc/lists/hashsha256.cdb'
ERROR: No endpoint returned No status code: Error writing to file: [Errno 2] No such file or directory: '/var/ossec/etc/lists/urls.cdb'

Does someone now how can I do that? I'm having lot's of trouble

Thanks!

[Carles Lobón Quílez]

[ofure....@wazuh.com]

Hello,

The script looks like it's working. 

The error means the /var/ossec/etc/lists directory doesn't exist inside the container.

Try to modify your entrypoint-override.sh to create the lists directory before executing the script.