Wazuh Agent Registration SSL verification process
Published: 12/12/2022
Version: 1.0
Welcome
This document details the configuration process for setting up agent deployment SSL based verification. There are various steps involved and these should be followed closely to ensure the end results are satisfactory.
Certificate Creation
• Connect to your Wazuh container or pod
o “docker exec -it wazuh-manager bash” for container based implementation
o “kubectl -n <namespace> exec -it <namespace>-wazuh-0 bash” for Kubernetes based implementations
• cd /var/ossec/etc/
• Run the following four commands in sequence:
cd /var/ossec/etc/
openssl req -x509 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -batch -subj "/C=US/ST=CA/O=Manager"
openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -batch
openssl x509 -req -days 3650 -in sslagent.csr -CA rootCA.pem -CAkey rootCA.key -out sslagent.cert -CAcreateserialNOTE: the above are single lines, when copying from Word, PDF or web, please remember to remove any carriage returns.
The above will generate all the required certificates for the implementation
Applying the Required Changes to Wazuh for SSL validation
While still connected to the Wazuh pod or container, do the following:
• vi /var/ossec/etc/ossec.conf
• Move down to the section that starts with “<auth>” and add the line indicated in red to the config in the exact location that is displayed in the screenshot
• Once the modification has been done Press [ESC] then Type :wq and Press [ENTER]
• Now restart Wazuh Manager by running the following command
o /var/ossec/bin/ossec-control restart
The system will now validate the agents with the certificate. At this point it is highly recommended to backup all certificates
This can be done by copying them to an alternate secure location. For the Professional and CE editions, the certificates can be access at the following path on the virtual machines:
/volumes/wazuh-manager/wazuh-etc
The files that should be copied are the following
cp rootCA.*
cp sslagent.*
cp sslmanager.*
From a Kubernetes environment you can copy the certificates like follows:
kubectl -n <namespace> cp <namespace>-wazuh-0 /var/ossec/etc/rootCA.key /<destination_path>/
kubectl -n <namespace> cp <namespace>-wazuh-0 /var/ossec/etc/rootCA.pem /<destination_path>/
kubectl -n <namespace> cp <namespace>-wazuh-0 /var/ossec/etc/rootCA.srl /<destination_path>/
kubectl -n <namespace> cp <namespace>-wazuh-0 /var/ossec/etc/sslagent.cert /<destination_path>/
kubectl -n <namespace> cp <namespace>-wazuh-0 /var/ossec/etc/sslagent.csr /<destination_path>/
kubectl -n <namespace> cp <namespace>-wazuh-0 /var/ossec/etc/sslagent.key /<destination_path>/
kubectl -n <namespace> cp <namespace>-wazuh-0 /var/ossec/etc/sslmanager.cert /<destination_path>/
kubectl -n <namespace> cp <namespace>-wazuh-0 /var/ossec/etc/sslmanager.key /<destination_path>/NOTE: the above are single lines, when copying from Word, PDF or Web, please remember to remove any carriage returns.
The Certificates that will be needed for agent registration are the following:
- sslagent.key
- sslagent.cert
Agent Registration
To perform a registration with the certificates in place the certificates must be copied from the Wazuh Manager. Please ensure that you have local copies of both sslagent.key and sslagent.cert.
Windows Based Registration
wazuh-agent-4.0.4-1.msi /q WAZUH_MANAGER="<wazuh_manager>"
WAZUH_REGISTRATION_SERVER="<wazuh_manager>"
WAZUH_REGISTRATION_KEY="C:\<path_to_ssl_key>\sslagent.key"
WAZUH_REGISTRATION_CERTIFICATE="C:\ <path_to_ssl_cert>\sslagent.cert"
Ubuntu/Debian Based Registration
sudo WAZUH_MANAGER="192.168.1.80"
WAZUH_REGISTRATION_KEY="/<path_to_ssl_key>/sslagent.key"
WAZUH_REGISTRATION_CERTIFICATE="/<path_to_ssl_cert>/sslagent.cert"
dpkg -i ./wazuh-agent_4.0.4-1_amd64.deb && sleep 5 && sudo systemctl start wazuh-agent
Mac Based Registration
sudo launchctl setenv WAZUH_MANAGER="<wazuh_manager>"
WAZUH_REGISTRATION_KEY="/<path_to_ssl_key>/sslagent.key"
WAZUH_REGISTRATION_CERTIFICATE="/<path_to_ssl_cert>/sslagent.cert" && sudo installer -pkg ./wazuh-agent-4.0.4-1.pkg -target /
NOTE: the above are single lines, when copying from Word, PDF or Web, please remember to remove any carriage returns. Additionally please note that absolute paths need to be specified for the certificates and not purely the certificate names if present in a local folder.