Dashboard missing secure cookie setting (OpenVAS scan result)

[aleksibovellan]

I couldn't find a way to fix this myself in any of the config files, so here is an OpenVAS scan result, if it might interest someone. Thanks.

wazuh.dashboard

443/tcp

Thu, Mar 28, 2024 9:39 AM UTC Summary The remote HTTP web server / application is missing to set the 'Secure' cookie attribute for one or more sent HTTP cookie.

The cookie(s): set-cookie: security_authentication=; Max-Age=replaced; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/

is/are missing the "Secure" cookie attribute.

[godunko-v]

@aleksibovellan Hey, I had the same issue, but I fixed it by adding this configuration: opensearch_security.cookie.secure: true to the /etc/wazuh-dashboard/opensearch_dashboards.yml file and then just restart wazuh-dashboard

I also fixed another issue with wazuh-indexer (SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability) by adding -Djdk.tls.ephemeralDHKeySize=2048 to the /etc/wazuh-indexer/jvm.options file. After that, I restarted the wazuh-indexer and the vulnerability disappeared.

Hope it helps!

[aleksibovellan]

Hi @godunko-v , thank you so much for your reply and time. Those solutions indeed worked, as you've already found out. Amazing work right there, and results were confirmed with OpenVAS. Hopefully these additions could be included in the official future releases of Wazuh Docker too. I'll to comment this great SSL/TLS solution of yours to the other issue I filed in this repository also.

All the best and thanks again!! -Aleksi

[aleksibovellan]

The secure cookie issue was resolved by @godunko-v with adding: "opensearch_security.cookie.secure: true" into Wazuh Docker's host machine file: "..wazuh-docker/single-node/config/wazuh_dashboard/opensearch_dashboards.yml" and then downing-upping the docker.