wazuh-dashboard-plugins icon indicating copy to clipboard operation
wazuh-dashboard-plugins copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Wazuh dashboard prints IPv6 link-local addresses instead of other (most preferrable IP addresses)

Open fernandogont opened this issue 2 years ago • 2 comments

Wazuh Elastic Rev Security
4.4.5-1 7.x 4xxx Basic
Browser
Chrome

Description When listing agents in the wazuh-dashboard, in a lot of cases the dashboard will list the link-local IPv6 address of the node.

IPv6 link-local addresses are the most meaningless addresses of a host, since they are only valid on a local subnet, and must be used/accompanied with the corresponding interface index for the link-local address to be meaningful.

Preconditions

Wazuh agent has IPv6 support.

Steps to reproduce

Expected Result

Wazuh dashboard should probably order the host addresses, and list/show the address with the highest priority. Priorities could be, for example,:

  1. IPv6 global addresses
  2. IPv4 public addresses
  3. IPv6 ULAs
  4. IPv4 private addresses
  5. IPv6 link-local addresses
  6. IPv4 link-local addresses

If a system has multiple addresses, the dashboard should show one with the highest priority in the sample list above.

Actual Result

Wazuh dashboard quite often shows the IPv6 link-local address of the host.

fernandogont avatar Jul 19 '23 10:07 fernandogont

Thanks for linking this @vikman90 - just to clarify a bit, is the determination to show the agent's address as IPv6 happening in Kibana, or is this specifically the task to deal with the visual representation of that selected address? All for getting the aesthetics worked out, just want to make sure the functional aspect of agent/framework interactions is not lost in the churn given that rules and scripts can depend on that address being IPv4.

sempervictus avatar Jul 31 '23 12:07 sempervictus

@sempervictus The determination of the agent's IP must happen in each agent.

The agent sends its IP address within the notify (keepalive-like) message. The manager is limited to storing it in the database (schema_global.sql). Later, Wazuh Dashboard (Kibana) runs the GET /agents API endpoint to retrieve the list of agents.

The agent can inventory its network interfaces and determine which one is the default or the one that connects to the manager.

Best regards.

vikman90 avatar Aug 07 '23 06:08 vikman90