wazuh-packages
wazuh-packages copied to clipboard
Published
20 hours ago •
wazuh
wazuh
The wazuh-cert-tool does not admit multiple IPs
| Wazuh version | Install type | Action performed | Platform |
|---|---|---|---|
| All | Manager | Install | Any |
Hello Team, When configuring cluster nodes that contain more than one IP address (such as CCS, CCR) we need to create the certificates with multiple IP addresses (Subject Alternative Names)
- OpenSSL Documentation: https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
My request is to add this feature to the wazuh-cert-tool.
Thank you in advance!
Update
The function that we are using to parse config.yml to bash is not ideal, this function does not distinguish if a server IP comes from one node or another, it just passes everything into the same array. Moreover, right now we can't pass more than one IP to one node, it is a one-to-one relationship. So, the function needs to be changed, this also means that the variables would probably change the way we are getting them.
I have found a function that allows us to do more things with the YAML files, it is more accurate that the previous one. The function is based on the previous one: Function , Credits
I have only added this line gsub(\"name: \", \"\"); due to the names were not parse correctly.
Example of both functions output:
config.yml
nodes:
indexer:
- name: indexer
ip: 127.0.0.1
- name: indexer2
ip: 127.0.0.20
server:
- name: server
ip: 127.0.0.1
ip: 127.0.0.2
ip: 127.0.0.4
node_type: master
- name: server2
ip: 127.0.0.3
node_type: worker
- name: server3
ip: 127.0.0.10
node_type: worker
dashboard:
- name: dashboard
ip: 127.0.0.1
- name: dashboard2
ip: 127.0.0.12
Current parse YAML function output
nodes_indexer__name=indexer
nodes_indexer__ip=127.0.0.1
nodes_indexer__name=indexer2
nodes_indexer__ip=127.0.0.20
nodes_server__name=server
nodes_server__ip=127.0.0.1
nodes_server__ip=127.0.0.2
nodes_server__ip=127.0.0.4
nodes_server__node_type=master
nodes_server__name=server2
nodes_server__ip=127.0.0.3
nodes_server__node_type=worker
nodes_server__name=server3
nodes_server__ip=127.0.0.10
nodes_server__node_type=worker
nodes_dashboard__name=dashboard
nodes_dashboard__ip=127.0.0.1
nodes_dashboard__name=dashboard2
nodes_dashboard__ip=127.0.0.12
New parse YAML function output
nodes_indexer_1="indexer"
nodes_indexer_1_ip="127.0.0.1"
nodes_indexer_2="indexer2"
nodes_indexer_2_ip="127.0.0.20"
nodes_server_1="server"
nodes_server_1_ip="127.0.0.1"
nodes_server_1_ip="127.0.0.2"
nodes_server_1_ip="127.0.0.4"
nodes_server_1_node_type="master"
nodes_server_2="server2"
nodes_server_2_ip="127.0.0.3"
nodes_server_2_node_type="worker"
nodes_server_3="server3"
nodes_server_3_ip="127.0.0.10"
nodes_server_3_node_type="worker"
nodes_dashboard_1="dashboard"
nodes_dashboard_1_ip="127.0.0.1"
nodes_dashboard_2="dashboard2"
nodes_dashboard_2_ip="127.0.0.12"
nodes_dashboard_=" nodes_dashboard_1 nodes_dashboard_2"
nodes_indexer_1_=" nodes_indexer_1_ip"
nodes_indexer_2_=" nodes_indexer_2_ip"
nodes_=" nodes_indexer nodes_server nodes_dashboard"
nodes_dashboard_1_=" nodes_dashboard_1_ip"
nodes_server_1_=" nodes_server_1_ip nodes_server_1_node_type"
nodes_dashboard_2_=" nodes_dashboard_2_ip"
nodes_server_2_=" nodes_server_2_ip nodes_server_2_node_type"
nodes_server_3_=" nodes_server_3_ip nodes_server_3_node_type"
nodes_indexer_=" nodes_indexer_1 nodes_indexer_2"
__=" nodes"
nodes_server_=" nodes_server_1 nodes_server_2 nodes_server_3"
Now, we can separate the nodes IP's.
By changing this we also need to change the variables.
New variables
eval "indexer_node_names=( $(cert_parseYaml "${config_file}" | grep "nodes_indexer_[0-9]=" | cut -d = -f 2 ) )"
eval "server_node_names=( $(cert_parseYaml "${config_file}" | grep "nodes_server_[0-9]=" | cut -d = -f 2 ) )"
eval "dashboard_node_names=( $(cert_parseYaml "${config_file}" | grep "nodes_dashboard_[0-9]=" | cut -d = -f 2) )"
eval "indexer_node_ips=( $(cert_parseYaml "${config_file}" | grep "nodes_indexer_[0-9]_ip=" | cut -d = -f 2) )"
eval "server_node_ips=( $(cert_parseYaml "${config_file}" | grep "nodes_server_[0-9]_ip=" | cut -d = -f 2) )"
eval "dashboard_node_ips=( $(cert_parseYaml "${config_file}" | grep "nodes_dashboard_[0-9]_ip=" | cut -d = -f 2 ) )"
eval "server_node_types=( $(cert_parseYaml "${config_file}" | grep "nodes_server_[0-9]_node_type=" | cut -d = -f 2 ) )"
eval "number_server_ips=( $(cert_parseYaml "${config_file}" | grep -o -E 'nodes_server_[0-9]_ip' | sort -u | wc -l) )"
for i in $(seq 1 ${number_server_ips}); do
string='nodes__server__'
nodes_server="${string}""${i}"
eval "server_node_ip_$i=( $( cert_parseYaml config.yml | grep "${nodes_server}" | sed '/\./!d' | cut -d = -f 2 | sed -r 's/\s+//g') )"
done
Output
Indexer node names: indexer indexer2
Server node names: server server2 server3
Dashboard node names: dashboard dashboard2
Indexer node ips: 127.0.0.1 127.0.0.20
Server node ips: 127.0.0.1 127.0.0.2 127.0.0.4 127.0.0.3 127.0.0.10
Dashboard node ips: 127.0.0.1 127.0.0.12
Server node types: master worker worker
Number of servers: 3
Server 1: 127.0.0.1 127.0.0.2 127.0.0.4
Server 2: 127.0.0.3
Server 3: 127.0.0.10
Now that all of this is done, we need to make some changes in the cert_generateCertificateconfiguration function.
Right now our certificates file looks like this.
[ req ]
prompt = no
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[req_distinguished_name]
C = US
L = California
O = Wazuh
OU = Wazuh
CN = cname
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = cip
It has to be changed to include more IPs in the alt_names section.
Goals
- [x] Change the function that parses .yml files.
- [x] Adapt the variables to the new function.
- [x] Make the cert-tool capable of using multiple IPs.
- [x] Make sure that certificates are created correctly.
- [x] Improve what has been done(remove unnecessary calls, see if some things can be done better).
TESTS
wazuh-certs-tool.sh
config.yml
nodes:
indexer:
- name: indexer
ip: 127.0.0.1
server:
- name: server
ip: 127.0.0.1
ip: 127.0.0.2
ip: google.com
ip: 127.0.0.4
ip: wazuh.com
node_type: master
- name: server2
ip: 127.0.0.3
node_type: worker
- name: server3
ip: 127.0.0.10
node_type: worker
dashboard:
- name: dashboard
ip: 127.0.0.1
- name: dashboard2
ip: 127.0.0.12
[vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -A
31/08/2022 07:12:20 INFO: Admin certificates created.
31/08/2022 07:12:21 INFO: Wazuh indexer certificates created.
31/08/2022 07:12:21 INFO: Wazuh server certificates created.
31/08/2022 07:12:21 INFO: Wazuh dashboard certificates created.
[vagrant@centos7 ~]$ ls wazuh-certificates/
admin-key.pem indexer-key.pem server2-key.pem server-key.pem
admin.pem indexer.pem server2.pem server.pem
dashboard-key.pem root-ca.key server3-key.pem
dashboard.pem root-ca.pem server3.pem
[vagrant@centos7 wazuh-certificates]$ openssl x509 -in server.pem -noout -text
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:127.0.0.2, DNS:google.com, IP Address:127.0.0.4, DNS:wazuh.com
[vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -wi certs/root-ca.key certs/root-ca.pem
31/08/2022 07:14:08 INFO: Wazuh indexer certificates created.
[vagrant@centos7 ~]$ ls wazuh-certificates/
indexer-key.pem indexer.pem root-ca.key root-ca.pem
[vagrant@centos7 ~]$ rm -rf wazuh-certificates/
[vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -ws certs/root-ca.key certs/root-ca.pem
31/08/2022 07:14:23 INFO: Wazuh server certificates created.
[vagrant@centos7 ~]$ ls wazuh-certificates/
root-ca.key server2-key.pem server3-key.pem server-key.pem
root-ca.pem server2.pem server3.pem server.pem
[vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -a certs/root-ca.key certs/root-ca.pem
31/08/2022 07:14:45 INFO: Admin certificates created.
[vagrant@centos7 ~]$ ls wazuh-certificates/
admin-key.pem admin.pem root-ca.key root-ca.pem
[vagrant@centos7 ~]$ rm -rf wazuh-certificates/
[vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -wd certs/root-ca.key certs/root-ca.pem
31/08/2022 07:15:03 INFO: Wazuh dashboard certificates created.
[vagrant@centos7 ~]$ ls wazuh-certificates/
dashboard-key.pem dashboard.pem root-ca.key root-ca.pem
Invalid IP in config.yml
[vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -A
31/08/2022 07:17:44 INFO: Admin certificates created.
31/08/2022 07:17:44 INFO: Wazuh indexer certificates created.
31/08/2022 07:17:44 ERROR: Invalid IP or DNS 127.0.0.
config.yml
nodes:
indexer:
- name: indexer
ip: 127.0.0.1
- name: indexer2
ip: test.com
server:
- name: server
ip: 127.0.0.1
ip: 127.0.0.2
ip: 127.0.0.3
ip: wazuh.com
ip: test.hopto.org
node_type: master
- name: server2
ip: 127.0.0.4
ip: 127.0.0.5
node_type: worker
dashboard:
- name: dashboard
ip: 127.0.0.1
Ouput function parse yml:
nodes_indexer_1="indexer"
nodes_indexer_1_ip="127.0.0.1"
nodes_indexer_2="indexer2"
nodes_indexer_2_ip="test.com"
nodes_server_1="server"
nodes_server_1_ip="127.0.0.1"
nodes_server_1_ip="127.0.0.2"
nodes_server_1_ip="127.0.0.3"
nodes_server_1_ip="wazuh.com"
nodes_server_1_ip="test.hopto.org"
nodes_server_1_node_type="master"
nodes_server_2="server2"
nodes_server_2_ip="127.0.0.4"
nodes_server_2_ip="127.0.0.5"
nodes_server_2_node_type="worker"
nodes_dashboard_1="dashboard"
nodes_dashboard_1_ip="127.0.0.1"
nodes_dashboard_=" nodes_dashboard_1"
nodes_indexer_1_=" nodes_indexer_1_ip"
nodes_indexer_2_=" nodes_indexer_2_ip"
nodes_=" nodes_indexer nodes_server nodes_dashboard"
nodes_dashboard_1_=" nodes_dashboard_1_ip"
nodes_server_1_=" nodes_server_1_ip nodes_server_1_node_type"
nodes_server_2_=" nodes_server_2_ip nodes_server_2_node_type"
nodes_indexer_=" nodes_indexer_1 nodes_indexer_2"
__=" nodes"
nodes_server_=" nodes_server_1 nodes_server_2"
wazuh-install.sh
[root@ip-172-31-8-198 ec2-user]# bash wazuh-install.sh -a
31/08/2022 08:11:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
31/08/2022 08:11:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log
31/08/2022 08:11:17 INFO: Wazuh development repository added.
31/08/2022 08:11:17 INFO: --- Configuration files ---
31/08/2022 08:11:17 INFO: Generating configuration files.
31/08/2022 08:11:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
31/08/2022 08:11:19 INFO: --- Wazuh indexer ---
31/08/2022 08:11:19 INFO: Starting Wazuh indexer installation.
31/08/2022 08:12:20 INFO: Wazuh indexer installation finished.
31/08/2022 08:12:20 INFO: Wazuh indexer post-install configuration finished.
31/08/2022 08:12:20 INFO: Starting service wazuh-indexer.
31/08/2022 08:12:33 INFO: wazuh-indexer service started.
31/08/2022 08:12:33 INFO: Initializing Wazuh indexer cluster security settings.
31/08/2022 08:12:38 INFO: Wazuh indexer cluster initialized.
31/08/2022 08:12:38 INFO: --- Wazuh server ---
31/08/2022 08:12:38 INFO: Starting the Wazuh manager installation.
31/08/2022 08:12:58 INFO: Wazuh manager installation finished.
31/08/2022 08:12:58 INFO: Starting service wazuh-manager.
31/08/2022 08:13:14 INFO: wazuh-manager service started.
31/08/2022 08:13:14 INFO: Starting Filebeat installation.
31/08/2022 08:13:27 INFO: Filebeat installation finished.
31/08/2022 08:13:28 INFO: Filebeat post-install configuration finished.
31/08/2022 08:13:28 INFO: Starting service filebeat.
31/08/2022 08:13:28 INFO: filebeat service started.
31/08/2022 08:13:28 INFO: --- Wazuh dashboard ---
31/08/2022 08:13:28 INFO: Starting Wazuh dashboard installation.
31/08/2022 08:14:35 INFO: Wazuh dashboard installation finished.
31/08/2022 08:14:35 INFO: Wazuh dashboard post-install configuration finished.
31/08/2022 08:14:35 INFO: Starting service wazuh-dashboard.
31/08/2022 08:14:36 INFO: wazuh-dashboard service started.
31/08/2022 08:15:00 INFO: Initializing Wazuh dashboard web application.
31/08/2022 08:15:00 INFO: Wazuh dashboard web application initialized.
31/08/2022 08:15:00 INFO: --- Summary ---
31/08/2022 08:15:00 INFO: You can access the web interface https://<wazuh-dashboard-ip>
User: admin
Password: au1P6q+tXK0WJJVuN6KJ.b03ev.JKa11
31/08/2022 08:15:00 INFO: Installation finished.
distributed
[root@ip-172-31-8-198 ec2-user]# bash wazuh-install.sh -wi node-1
01/09/2022 06:10:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
01/09/2022 06:10:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log
01/09/2022 06:10:10 INFO: Wazuh development repository added.
01/09/2022 06:10:10 INFO: --- Wazuh indexer ---
01/09/2022 06:10:10 INFO: Starting Wazuh indexer installation.
01/09/2022 06:11:09 INFO: Wazuh indexer installation finished.
01/09/2022 06:11:09 INFO: Wazuh indexer post-install configuration finished.
01/09/2022 06:11:09 INFO: Starting service wazuh-indexer.
01/09/2022 06:11:25 INFO: wazuh-indexer service started.
01/09/2022 06:11:25 INFO: Initializing Wazuh indexer cluster security settings.
01/09/2022 06:11:27 INFO: Wazuh indexer cluster initialized.
01/09/2022 06:11:27 INFO: Installation finished.
[root@ip-172-31-8-198 ec2-user]# bash wazuh-install.sh -s
01/09/2022 06:12:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
01/09/2022 06:12:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log
01/09/2022 06:12:35 INFO: Wazuh indexer cluster security configuration initialized.
01/09/2022 06:12:45 INFO: Wazuh indexer cluster started.
[root@ip-172-31-11-12 ec2-user]# bash w.sh -ws wazuh-1
01/09/2022 06:13:00 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
01/09/2022 06:13:00 INFO: Verbose logging redirected to /var/log/wazuh-install.log
01/09/2022 06:13:06 INFO: Wazuh development repository added.
01/09/2022 06:13:06 INFO: --- Wazuh server ---
01/09/2022 06:13:06 INFO: Starting the Wazuh manager installation.
01/09/2022 06:13:29 INFO: Wazuh manager installation finished.
01/09/2022 06:13:29 INFO: Starting service wazuh-manager.
01/09/2022 06:13:45 INFO: wazuh-manager service started.
01/09/2022 06:13:45 INFO: Starting Filebeat installation.
01/09/2022 06:14:08 INFO: Filebeat installation finished.
01/09/2022 06:14:09 INFO: Filebeat post-install configuration finished.
01/09/2022 06:14:14 INFO: Starting service filebeat.
01/09/2022 06:14:14 INFO: filebeat service started.
01/09/2022 06:14:14 INFO: Installation finished.
[root@ip-172-31-4-239 ec2-user]# bash w.sh -wd dashboard
01/09/2022 06:14:44 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
01/09/2022 06:14:44 INFO: Verbose logging redirected to /var/log/wazuh-install.log
01/09/2022 06:14:50 INFO: Wazuh development repository added.
dashboard
01/09/2022 06:14:50 INFO: --- Wazuh dashboard ----
01/09/2022 06:14:50 INFO: Starting Wazuh dashboard installation.
01/09/2022 06:15:57 INFO: Wazuh dashboard installation finished.
01/09/2022 06:15:57 INFO: Wazuh dashboard post-install configuration finished.
01/09/2022 06:15:57 INFO: Starting service wazuh-dashboard.
01/09/2022 06:15:57 INFO: wazuh-dashboard service started.
01/09/2022 06:16:17 INFO: Initializing Wazuh dashboard web application.
01/09/2022 06:16:18 INFO: Wazuh dashboard web application initialized.
01/09/2022 06:16:18 INFO: --- Summary ---
01/09/2022 06:16:18 INFO: You can access the web interface https://172.31.4.239
User: admin
Password: xd4k865LFTaB8*AGtTA?wZWmYPUfrcVG
01/09/2022 06:16:18 INFO: Installation finished.
wazuh-passwords-tool.sh
[root@ip-172-31-8-198 ec2-user]# bash wazuh-passwords-tool.sh -a
01/09/2022 06:17:51 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
01/09/2022 06:17:58 INFO: The password for user admin is U38Ca+dXVEX6.upBR*pKGvCRRNE0?ry+
01/09/2022 06:17:58 INFO: The password for user kibanaserver is 63IddxTjYI5Ns*7bB.r67W*BXqK.GWP8
01/09/2022 06:17:58 INFO: The password for user kibanaro is 7.trwgAcUc9gh9+A7yrAD4pvbtYIyLLn
01/09/2022 06:17:58 INFO: The password for user logstash is U+0DOCl4zWj*2*akn6Zpil7saFJyIVvI
01/09/2022 06:17:58 INFO: The password for user readall is TWlJs.k*.?4yM8wZK2tRLpzSHZGP8Hu1
01/09/2022 06:17:58 INFO: The password for user snapshotrestore is tmzCIituT7PniL1xQPEQmQ0MaPmIIbe*
01/09/2022 06:17:58 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
[root@ip-172-31-11-12 ec2-user]# bash wazuh-passwords-tool.sh -au wazuh -ap yeIwiJZzH31bjgIDm75r0Un.NsA4J.3. -u wazuh -p x8h4ElfbLLSP?JRIorTRFdFnv2.8qGci -A
01/09/2022 06:21:35 INFO: The password for Wazuh API user wazuh is x8h4ElfbLLSP?JRIorTRFdFnv2.8qGci