What is Wazuh and Why Should You Use It?

Wazuh is an open-source security platform that provides intrusion detection, integrity monitoring, incident response, and compliance auditing. Its versatility makes it ideal for both small businesses and large corporations. Furthermore, being open-source, Wazuh is completely free and allows modifications to meet any specific needs.

Initial Preparations Before Installation

Before you dive into the installation of Wazuh, it is crucial that you prepare your system. This involves ensuring that the operating system is updated and setting up the environment to support the installation of Wazuh through Docker. Here is how you do it:

First, it is necessary to disable the firewall to prevent it from interfering with the installation process. To do this, simply execute in the terminal:

ufw disable

This command will disable the firewall, ensuring that it will not block any of the necessary connections during the installation.

Next, you must ensure that all system packages are updated and that git is installed, as you will need it to clone the Wazuh repository. Execute:

apt update && apt install git

With these commands, your system will be updated and ready for the next phase.

Installing Docker

Wazuh in Docker simplifies dependency management and ensures that the platform can run isolated and secure. To install Docker, you can use the script provided by Docker, which sets up everything automatically:

curl -sSL https://get.docker.com/ | sh

Once Docker is installed, it is essential to ensure it automatically runs at system startup:

systemctl start docker
systemctl enable docker

These commands will start the Docker service and configure it to automatically start at each system boot.

Docker Compose

If you install Docker as previously indicated, you do not need to install this tool, but if you already have Docker and it does not support “docker compose”, you can install docker-compose like this:

curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

The following commands that have “docker compose” should be executed as docker-compose.

Setting Up the Wazuh Environment

With Docker already configured, the next step is to prepare the specific environment for Wazuh. Head to the optimal directory to keep organized the files related to security:

cd /opt

Now, it is time to clone the most recent version of the Wazuh repository for Docker:

git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.3

This command downloads all the necessary files to run Wazuh in a Docker container.

Generating Certificates and Starting Up Wazuh

Before starting Wazuh, you must generate the necessary certificates for the proper functioning of the Wazuh components. Navigate to the correct directory and execute the certificate generator:

cd wazuh-docker/single-node/
docker compose -f generate-indexer-certs.yml run --rm generator

With the certificates generated, you are now ready to start all the Wazuh services:

docker compose up -d

This last command lifts all the containers necessary for Wazuh to operate properly in a single-node mode, ideal for test environments or small implementations.

Verification of the Installation

Once all the previous steps are completed, it is important to verify that everything is working as expected. You can check the status of the Docker containers to ensure that all Wazuh services are active and running. Additionally, access the Wazuh web interface to start exploring the functionalities and available settings.

Customization and Monitoring

With your Wazuh server now operational, the next step is to customize the configuration to adapt it to your specific needs. Wazuh offers a wide variety of options for configuring rules, alerts, and automatic responses to incidents. Take advantage of the available documentation to explore all the possibilities that Wazuh offers.

Installing and configuring your own Wazuh server may seem like a complex task, but by following these steps, you will have a robust computer security system without needing large investments. Not only will it improve the security of your information, but it will also provide you with a powerful tool to monitor and proactively respond to any incident.

Wazuh Password Change

Stop the service using Docker Compose:

docker compose down

Generate the hash of the new password using the Wazuh container:

Run the following command to start the hash script:

docker run --rm -ti wazuh/wazuh-indexer:4.6.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

Enter the new password when prompted and copy the generated hash.

Update the internal users file with the hash of the new password:

Open the file with a text editor like vim:

vim config/wazuh_indexer/internal_users.yml

Paste the generated hash for the admin user.

Update the docker-compose.yml file with the new password:

Open the docker-compose.yml file:

vim docker-compose.yml

Enter the new password in lines 24 and 81 where it says INDEXER_PASSWORD.

Raise the services again with Docker Compose:

docker compose up -d

This restarts the service stack.

Access the container and run the security script:

Access the container:

docker exec -it single-node-wazuh.indexer-1 bash

Define the variables and run the security script:

export INSTALLATION_DIR=/usr/share/wazuh-indexer
CACERT=$INSTALLATION_DIR/certs/root-ca.pem
KEY=$INSTALLATION_DIR/certs/admin-key.pem
CERT=$INSTALLATION_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl

Exit the container:

exit

This process allows you to update the admin password for Wazuh using Docker, making sure to follow all the steps correctly to ensure the changes are effective.

La entrada Install Your Own Wazuh Server on Ubuntu se publicó primero en Aprende IT.

Understanding the Importance of Docker Security
Before diving into the world of Docker and its security, it’s essential to grasp why it’s so critical. Docker has revolutionized the way we deploy applications, making the process more streamlined and efficient. However, like any technology, it’s not without its vulnerabilities. A poorly configured Docker container can be a gateway for cybercriminals. And as we all know, it’s better to be safe than sorry.

The Principle of Least Privilege
First off, let’s talk about the principle of least privilege. It’s a golden rule in IT security. The idea is to grant programs and processes only the privileges they genuinely need to get their job done. Nothing more.

In the Docker context, this means you should avoid running containers with root privileges unless absolutely necessary. If an attacker manages to access a container with root privileges, they could potentially take control over the entire host system. So, whenever possible, limit those privileges.

Trusted Images
Now, let’s focus on images. They’re the foundation of our containers. But where do you get them from? Not all images available on Docker Hub are safe. Some might have known vulnerabilities or even hidden malware.

I recommend only using images from trustworthy sources. If possible, opt for official images or those from well-known providers. And if you decide to build your own images, ensure they’re up to date and follow good security practices in their design.

Vulnerability Scanning
Let’s talk tools! Nowadays, there are specific solutions designed to scan Docker containers for vulnerabilities. These tools can identify issues in images before they’re deployed. It’s a proactive approach to tackle risks.

I advise integrating these scans into your continuous integration and delivery process. This way, every time a new version of your application is prepared, you can be sure the containers are clean and ready for action.

Networking and Communications
Another critical aspect is networking. Docker allows you to create virtual networks for your containers to communicate with each other. However, not all containers should talk to one another. In fact, in many cases, it’s preferable they’re isolated.

By familiarizing yourself with Docker networks, you can configure them so only specific containers have access to others. This reduces the attack surface and limits the potential lateral movement of any intruders.

Regular Updates
One thing that should never be missing from your security routine is updates. Keeping Docker, your containers, and the applications running in them updated is vital. Updates don’t only introduce new features but also patch vulnerabilities.

So, always stay tuned to Docker news and updates. If a critical vulnerability emerges, you’ll want to be among the first to address it.

Limit Access
Last but not least, limit access to your containers. Not everyone in your organization needs to access all Docker functions. Define roles and permissions and grant them wisely. And, of course, ensure any access is backed by robust authentication and, if possible, multi-factor.

So, what did you think of this journey through Docker security? I hope you found it beneficial and will implement these recommendations. Cybersecurity is an ongoing task, requiring our attention and care. But with the right tools and best practices, you can rest easy knowing your Docker containers are well-protected. Catch you next time!

La entrada Docker Container Security: Best Practices and Recommendations se publicó primero en Aprende IT.

Why do you need to optimize Docker containers?

First, it’s important to understand why you need to optimize your Docker containers. Docker is a fantastic tool that allows developers to package and distribute their applications in containers really effectively. However, like any other technology, it’s not perfect and might require some optimization to ensure your application runs as well as possible.

Imagine you’re driving a car. If you don’t change the oil regularly or check the brakes, your car is likely not going to perform at its best. The same goes for Docker. If you don’t make an effort to optimize your containers, you can end up with suboptimal performance.

How to know if your Docker containers need optimization?

Well, the million-dollar question, how do you know if your Docker containers need optimization? Several signs might indicate that you need to work on optimizing your Docker containers.

If you observe that your applications take too long to load, or if your containers use an excessive amount of CPU or memory, it’s likely you need to make some adjustments. Another indicator could be if you see your containers crash frequently, or if you notice that your applications are unable to handle the amount of traffic you expected.

Understanding Docker and Resource Optimization

To be able to optimize the performance of your Docker containers, you first need to understand how Docker uses system resources. Docker runs on a host machine and uses the resources of that machine to run containers. However, Docker doesn’t use all the resources of the host machine by default. Instead, it limits the amount of resources each container can use.

Now, with a better understanding of how Docker uses system resources, we can explore how to optimize the performance of your Docker containers.

Reducing Docker Image Size

One effective way to improve the performance of your Docker containers is by reducing the size of your Docker images. Large images can slow down the startup of your containers and increase memory usage. Therefore, by reducing the size of your Docker images, you can help improve the speed and efficiency of your containers.

There are several ways to do this. One is by using smaller base images. For instance, instead of using a Ubuntu base image, you could use an Alpine base image, which is significantly smaller. Another strategy is to remove any unnecessary files from your images. This includes temporary files, cache files, and packages that aren’t necessary for running your application.

Limiting Resource Usage

Another strategy to optimize your Docker containers is to limit resource usage. As mentioned before, Docker limits the amount of resources each container can use. However, you can adjust these limits to ensure that your containers aren’t using more resources than they need.

For example, you can limit the amount of CPU a container can use by setting a CPU limit in your Docker configuration file. Similarly, you can limit the amount of memory a container can use by setting a memory limit.

Efficiently Using Storage in Docker

Storage is another crucial resource that Docker uses, and it can affect the performance of your containers. Therefore, it’s vital that you use Docker’s storage as efficiently as possible.

One tip to do this is to limit the amount of data your containers are writing to disk. The more data a container writes to disk, the slower it will be. Therefore, if you can reduce the amount of disk writes, you can improve your containers’ performance.

Additionally, keep in mind that Docker uses a storage layer to manage container data. Each time a container writes data to disk, Docker creates a new storage layer. This can slow down your containers, especially if they’re writing large amounts of data. Therefore, it’s recommended that you optimize the use of Docker’s storage layer.

Optimizing Networks in Docker

Last but not least, the network is a crucial resource in Docker that can also affect the performance of your containers. Networking in Docker can be complex as it involves communication between containers, between containers and the host machine, and between containers and the outside world.

One way to optimize networking in Docker is by using custom networks. Docker allows you to create your own networks and assign containers to these networks. This can be helpful for optimizing container-to-container communication, as you can group containers that need to communicate with each other on the same network.

Additionally, you can optimize networking in Docker by adjusting network parameters. Docker allows you to adjust various network parameters, such as buffer size, network congestion, and flow control. By adjusting these parameters, you can help improve Docker’s network efficiency.

And that’s all…

I hope these tips have helped you understand how you can optimize the performance of your Docker containers. Remember that each application is unique, and what works for one might not work for another. Therefore, it’s important to experiment and find the optimization strategies that work best for your applications.

Until the next post!

La entrada Docker Container Performance Optimization: Practical Tips for Best Performance se publicó primero en Aprende IT.

Understanding Docker and containers

Before diving into the intricacies of debugging, it’s good to briefly clarify what Docker is and why containers are so relevant in modern application development. Docker is a tool that allows developers like you to package applications and their dependencies into containers. These containers are lightweight and portable, allowing you to run your applications on any operating system that supports Docker, without worrying about tedious configuration tasks.

Tools for debugging in Docker

Debugging from the host

First, let’s talk about how you can debug your applications from the same host where the Docker container is running. This is useful in situations where you want to track what’s happening in your application in real-time without needing to access the container.

You can use tools like docker logs, which allows you to view your applications’ logs in real-time. Plus, you can use docker top to view the processes that are running inside your container. This allows you to see what’s consuming resources and if there’s any process that shouldn’t be running.

Accessing the container

Occasionally, you will need to directly access the container to debug your application. Docker allows you to do this using the docker exec command, which lets you run commands inside your container as if you were on the host operating system.

Once inside the container, you can use the debugging tools installed on your image. For example, if you’re working with a Python application, you could use pdb to debug your code.

Debugging with Docker Compose

Docker Compose is another tool that will be useful in debugging your applications. Docker Compose allows you to define and run multi-container applications with a simple description in a YAML file.

Like with Docker, you can access your applications’ logs with docker-compose logs, and you can also access the container with docker-compose exec.

Techniques for debugging applications in Docker

Runtime debugging

Runtime debugging allows you to inspect your application’s state while it’s running. You can do this using tools like pdb (for Python) or gdb (for C/C++) within your container.

These tools allow you to put breakpoints in your code, inspect variables, and step through your application’s execution, allowing you to see exactly what’s happening at each moment.

Post-mortem debugging

Post-mortem debugging is done after your application has crashed. This allows you to inspect your application’s state at the moment of failure.

Post-mortem debugging is especially useful when you encounter intermittent or hard-to-reproduce errors. In these cases, you can set up your application to generate a memory dump in case of failure, which you can later analyze to find the problem.

Tracing and Profiling

Another useful technique in debugging applications in Docker is tracing and profiling. This gives you detailed information about your application’s execution, such as how long each function takes to execute or memory usage.

There are various tools that allow you to trace and profile your applications in Docker, like strace (for Linux-based systems) or DTrace (for Unix-based systems).

Final tips

Before wrapping up, I’d like to give you some tips to make your experience debugging applications in Docker as bearable as possible:

• Make sure you have a good understanding of how Docker works. The better you understand Docker, the easier it will be to debug your applications.
• Familiarize yourself with the debugging tools available for your programming language.
• Don’t forget the importance of good logs. A good logging system can be your best ally when debugging problems in your applications.
• Use Docker Compose to orchestrate your multi-container applications. This will make it easier to debug problems that arise from the interaction between various containers.

In summary, debugging applications in Docker containers can be a complex task, but with the right tools and techniques, you’ll be able to do it efficiently and effectively. Remember, practice makes perfect, so don’t get frustrated if it seems complicated at first. Cheer up and let’s get debugging!

La entrada How to debug applications in Docker containers: Your ultimate guide se publicó primero en Aprende IT.

La entrada Migrating from Docker Swarm to Kubernetes: A Case Study se publicó primero en Aprende IT.

La entrada 10 Essential Docker Tricks You Should Know se publicó primero en Aprende IT.

In Dockerfiles the order matters a lot. For example, it is not the same to execute a COPY or ADD instruction to add an executable file and then execute it than trying to execute it before adding it. This seems obvious but it is one of the main errors that cause a Dockerfile to not work correctly when trying to create an image from it.

Lighten the image by deleting files

Whenever you create an image take into account the deletion of temporary files that we will not need when running the application because this way we will save disk space. For example, if to run the application we download a compressed file, unzip its content and this content is the one we will use, we should delete the compressed file to make the image lighter.

Reduces the number of files

Avoid installing unneeded packages. If you do not do this you may have a higher memory and disk consumption with the image you are creating and you may also generate more security problems since you will have to maintain and update these files in each version.

Avoid including files that you should not by using “.dockerignore”.

Avoid including files that should not be included such as files containing personal data by using “.dockerignore” files. These files are similar to “.gitignore” files and with a few lines we can avoid filtering information.

Specifies the base image version and dependencies.

It is important to use concrete versions and not to use base images and dependencies without specifying version. Not specifying versions can lead to bugs that are not contemplated and difficult to locate.

Use the correct base image

It is important to use base images as small as possible as Alpine or Busybox whenever possible. On the other hand it is possible that with some applications we need specific images to make the application work, in this case there is not much more to comment, use it.

Finally whenever possible use official base images, doing this you will avoid problems such as using images with embedded malware.

Reuse images

If all the images running on your hosts are based on Ubuntu:20.04 for example, using this base image can save you more disk space than using a small image like Alpine or Busybox since you already have the other image saved on disk.

La entrada Best practices building images with Dockerfiles se publicó primero en Aprende IT.

So why “waste time” passing the application to containers?

When we prepare an application to run in containers we are not wasting time. On the contrary, we are gaining time in the future.

Let me explain, when an application is prepared to run on containers, we are making the application more independent of a system because we can update the system where the containers run without affecting the application and on the contrary, we can update the application image without affecting the base system. Therefore, we provide a layer of isolation to the application.

It is important to highlight that the image that we prepare for the application should comply with the OCI or Open Container Initiative standards (as can be verified in https://opencontainers.org/ ), that is to say, the image is OCI compliant and we can run the image of our application in all the compatible routines such as:

• Docker
• Containerd
• Cri-o
• Rkt
• Runc

Well, what else does it bring us to have the application ready to run in a container?

We can take advantage of the above mentioned with the previous routines and stand-alone managers such as docker from orchestrators such as:

• Docker-swarm (it is not the most used) 
• Kubernetes (the orchestrator most used)

This type of orchestrators provide great advantages for our application, such as high availability, scalability, monitoring, flexibility, etc. They provide an extra abstraction layer that makes it easier to manage networks, volumes, instance management, and everything related to container management.

For example, using Kubernetes you can have an application in production and have it scale based on CPU or RAM usage. You can also make sure that there are a certain number of instances. And most importantly, you can deploy without causing a disaster by very quickly managing a rollback if necessary.

Conclusions

Just a few years ago the industry in general only saw this as viable for non-production environments (except for the most daring) but recently we are seeing more and more widespread adoption of this type of technology. In fact, the vast majority of the major cloud technology players have implemented cloud-related services.

La entrada Why we should containerize our applications se publicó primero en Aprende IT.

Docker system

The docker system command has several subcommands:

• docker system info
• docker system df
• docker system events
• docker system prune

View docker host information

To see the information about the host from docker we can run the command docker system info or its abbreviation docker info like this:

[ger-pc ~]# docker info
Client:
Debug Mode: false

Server:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 5
Server Version: 19.03.7-ce
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.5.8-1-MANJARO
Operating System: Manjaro Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.233GiB
Name: ger-pc
ID: MWH3:24AM:UAZJ:E5UL:TRI3:F4NZ:Y3JD:IMKP:7G2V:VV6I:L5XF:J2TW
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

This way we will be able to know on which hardware, docker version, system characteristics, we are working on.

View disk usage of each container

We can see the disk capacity used by each image, container, volume and build cache. The docker system df command will give us a brief summary of the disk for each docker component as you can see in the following example:

[ger-pc ~]# docker system df 
TYPE TOTAL ACTIVE SIZE RECLAIMABLE
Images 6 1 1.006GB 803.4MB (79%)
Containers 1 0 2B 2B (100%)
Local Volumes 0 0 0B 0B
Build Cache 0 0 0B 0B
[ger-pc ~]#

If we also want to know how much disk space each image or each container or each volume occupies, we have to add the -v option to the command as you can see in the following example:

 
[ger-pc ~]# docker system df -v
Images space usage:

REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
nginx alpine 89ec9da68213 3 days ago 19.94MB 0B 19.94MB 0
archlinux latest 9651b9e35f39 2 weeks ago 412.2MB 0B 412.2MB 0
ubuntu 18.04 4e5021d210f6 5 weeks ago 64.21MB 0B 64.21MB 0
centos 8 470671670cac 3 months ago 237.1MB 0B 237.1MB 0
ubuntu 19.04 c88ac1f841b7 3 months ago 69.99MB 0B 69.99MB 0
centos 7 5e35e350aded 5 months ago 203MB 0B 203MB 1

Containers space usage:

CONTAINER ID IMAGE COMMAND LOCAL VOLUMES SIZE CREATED STATUS NAMES
6e034771f891 centos:7 "/bin/bash" 0 2B 25 hours ago Exited (137) 15 hours ago container1

Local Volumes space usage:

VOLUME NAME LINKS SIZE

Build cache usage: 0B

CACHE ID CACHE TYPE SIZE CREATED LAST USED USAGE SHARED
[ger-pc ~]#

View disk usage of each container

The docker system events command reports docker system events in real time. This can help us when the system has a failure and we want to prevent it from reoccurring.
The command syntax is very simple:

docker system events

Remove docker residues

Docker has a very fast way to clean up the system.
The docker system prune command can help us a lot to perform the system cleanup,

The syntax of the command is:

docker system prune

An example of the output is:

[ger-pc ~]# docker system prune
WARNING! This will remove:
- all stopped containers
- all networks not used by at least one container
- all dangling images
- all dangling build cache

Are you sure you want to continue? [y/N] y
Deleted Containers:
6e034771f891225529dc6fc7eef6f40d537820d7607f68885edc10f2c71c6f9d

Total reclaimed space: 2B
[ger-pc ~]#

As you can see it will only eliminate:

• Stopped containers
• Unused nets (no containers)
• Images hung
• Build cache hung

To not ask for confirmation we add the -f parameter so it should be “docker system prune -f” and so it will delete all of the above at once, without confirmation,

If we want to delete all the images we can execute the command by adding -a and the command will look like this:

docker system prune -a

To remove volumes as well, add the –volumes parameter as in the following example:

docker system prune --volumes

If you are interested in learning Docker you can purchase our book here

Docker para novatos

If you liked the article, share it on your social networks so we can reach more people!

Best regards

La entrada The docker system command se publicó primero en Aprende IT.