add Wazuh agent to ScadaLTS container

Installs wazuh-agent (named 'scadalts') pointing at the Wazuh manager
at 192.168.90.20. Configures localfile monitoring for Tomcat catalina.out,
Tomcat HTTP access logs, and the MariaDB error log. Agent starts
conditionally via supervisor (DNS check for 'wazuh'), so the container
works normally without --profile siem.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: djformby

scadalts/Dockerfile

@@ -9,9 +9,14 @@ ENV SCADA_LTS_VERSION=2.7.8.1 \
     TOMCAT_USER=tcuser \
     TOMCAT_PASSWORD=tcuser
 
+# Fake systemctl so wazuh-agent postinstall doesn't fail
+RUN printf '#!/bin/bash\necho "[fake-systemctl] $@"\nexit 0\n' \
+    > /usr/local/bin/systemctl && chmod +x /usr/local/bin/systemctl
+
 # Install dependencies
 RUN apt-get update && \
-    apt-get install -y wget unzip supervisor mariadb-server libjaxb-api-java libjaxb-java libactivation-java && \
+    apt-get install -y wget unzip supervisor mariadb-server libjaxb-api-java libjaxb-java libactivation-java \
+    gnupg curl && \
     rm -rf /var/lib/apt/lists/*
 
 
@@ -39,9 +44,10 @@ RUN wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-8.3.0
     mv /tmp/mysql-connector-j-8.3.0/mysql-connector-j-8.3.0.jar $CATALINA_HOME/lib/ && \
     rm -rf /tmp/mysql-connector*
 
-# Prepare runtime dirs
-RUN mkdir -p /var/lib/mysql /run/mysqld /var/log/supervisor && \
-    chown -R mysql:mysql /var/lib/mysql /run/mysqld
+# Prepare runtime dirs and enable MariaDB error log
+RUN mkdir -p /var/lib/mysql /run/mysqld /var/log/supervisor /var/log/mysql && \
+    chown -R mysql:mysql /var/lib/mysql /run/mysqld /var/log/mysql && \
+    printf '[mysqld]\nlog_error=/var/log/mysql/error.log\n' > /etc/mysql/conf.d/logging.cnf
 VOLUME /var/lib/mysql
 
 # Add configs
@@ -66,6 +72,22 @@ RUN sed -i '/<\/Context>/i \
 COPY 1.png /usr/local/tomcat/static/uploads/1.png
 COPY seed_project_data.sql /seed_project_data.sql
 
+# Install Wazuh agent
+RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH \
+    | gpg --no-default-keyring \
+      --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import \
+    && chmod 644 /usr/share/keyrings/wazuh.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
+       https://packages.wazuh.com/4.x/apt/ stable main" \
+       > /etc/apt/sources.list.d/wazuh.list \
+    && apt-get update \
+    && WAZUH_MANAGER=192.168.90.20 WAZUH_AGENT_NAME=scadalts apt-get install -y wazuh-agent \
+    && rm -rf /var/lib/apt/lists/*
+
+# Monitor Tomcat catalina log, access logs, and MariaDB error log
+RUN sed -i 's|</ossec_config>|<localfile>\n    <log_format>syslog</log_format>\n    <location>/usr/local/tomcat/logs/catalina.out</location>\n  </localfile>\n  <localfile>\n    <log_format>syslog</log_format>\n    <location>/usr/local/tomcat/logs/localhost_access_log*.txt</location>\n  </localfile>\n  <localfile>\n    <log_format>syslog</log_format>\n    <location>/var/log/mysql/error.log</location>\n  </localfile>\n</ossec_config>|' \
+    /var/ossec/etc/ossec.conf
+
 EXPOSE 8080 3306
 
 CMD ["/usr/bin/supervisord", "-n"]

scadalts/supervisord.conf

@@ -22,3 +22,11 @@ command=/bin/bash -c "sleep 10 && /usr/local/tomcat/bin/catalina.sh run"
 autostart=true
 autorestart=true
 priority=10
+
+[program:wazuh-agent]
+command=/bin/bash -c "if getent hosts wazuh >/dev/null 2>&1; then /var/ossec/bin/wazuh-control start; else echo '[scadalts] Wazuh not in DNS, skipping agent start'; fi; sleep infinity"
+autostart=true
+autorestart=false
+priority=20
+stdout_logfile=/var/log/supervisor/wazuh-agent.log
+stderr_logfile=/var/log/supervisor/wazuh-agent.err