Wazuh version	Install type	Action performed	Platform
All	Manager	Install	Any

Update

The function that we are using to parse config.yml to bash is not ideal, this function does not distinguish if a server IP comes from one node or another, it just passes everything into the same array. Moreover, right now we can't pass more than one IP to one node, it is a one-to-one relationship. So, the function needs to be changed, this also means that the variables would probably change the way we are getting them.

I have found a function that allows us to do more things with the YAML files, it is more accurate that the previous one. The function is based on the previous one: Function , Credits

I have only added this line gsub(\"name: \", \"\"); due to the names were not parse correctly.

Example of both functions output:

config.yml

```` nodes: indexer: - name: indexer ip: 127.0.0.1 - name: indexer2 ip: 127.0.0.20 server: - name: server ip: 127.0.0.1 ip: 127.0.0.2 ip: 127.0.0.4 node_type: master - name: server2 ip: 127.0.0.3 node_type: worker - name: server3 ip: 127.0.0.10 node_type: worker dashboard: - name: dashboard ip: 127.0.0.1 - name: dashboard2 ip: 127.0.0.12 ````

Current parse YAML function output

```` nodes_indexer__name=indexer nodes_indexer__ip=127.0.0.1 nodes_indexer__name=indexer2 nodes_indexer__ip=127.0.0.20 nodes_server__name=server nodes_server__ip=127.0.0.1 nodes_server__ip=127.0.0.2 nodes_server__ip=127.0.0.4 nodes_server__node_type=master nodes_server__name=server2 nodes_server__ip=127.0.0.3 nodes_server__node_type=worker nodes_server__name=server3 nodes_server__ip=127.0.0.10 nodes_server__node_type=worker nodes_dashboard__name=dashboard nodes_dashboard__ip=127.0.0.1 nodes_dashboard__name=dashboard2 nodes_dashboard__ip=127.0.0.12 ````

New parse YAML function output

```` nodes_indexer_1="indexer" nodes_indexer_1_ip="127.0.0.1" nodes_indexer_2="indexer2" nodes_indexer_2_ip="127.0.0.20" nodes_server_1="server" nodes_server_1_ip="127.0.0.1" nodes_server_1_ip="127.0.0.2" nodes_server_1_ip="127.0.0.4" nodes_server_1_node_type="master" nodes_server_2="server2" nodes_server_2_ip="127.0.0.3" nodes_server_2_node_type="worker" nodes_server_3="server3" nodes_server_3_ip="127.0.0.10" nodes_server_3_node_type="worker" nodes_dashboard_1="dashboard" nodes_dashboard_1_ip="127.0.0.1" nodes_dashboard_2="dashboard2" nodes_dashboard_2_ip="127.0.0.12" nodes_dashboard_=" nodes_dashboard_1 nodes_dashboard_2" nodes_indexer_1_=" nodes_indexer_1_ip" nodes_indexer_2_=" nodes_indexer_2_ip" nodes_=" nodes_indexer nodes_server nodes_dashboard" nodes_dashboard_1_=" nodes_dashboard_1_ip" nodes_server_1_=" nodes_server_1_ip nodes_server_1_node_type" nodes_dashboard_2_=" nodes_dashboard_2_ip" nodes_server_2_=" nodes_server_2_ip nodes_server_2_node_type" nodes_server_3_=" nodes_server_3_ip nodes_server_3_node_type" nodes_indexer_=" nodes_indexer_1 nodes_indexer_2" __=" nodes" nodes_server_=" nodes_server_1 nodes_server_2 nodes_server_3" ````

Now, we can separate the nodes IP's.

By changing this we also need to change the variables.

New variables

```` eval "indexer_node_names=( $(cert_parseYaml "${config_file}" | grep "nodes_indexer_[0-9]=" | cut -d = -f 2 ) )" eval "server_node_names=( $(cert_parseYaml "${config_file}" | grep "nodes_server_[0-9]=" | cut -d = -f 2 ) )" eval "dashboard_node_names=( $(cert_parseYaml "${config_file}" | grep "nodes_dashboard_[0-9]=" | cut -d = -f 2) )" eval "indexer_node_ips=( $(cert_parseYaml "${config_file}" | grep "nodes_indexer_[0-9]_ip=" | cut -d = -f 2) )" eval "server_node_ips=( $(cert_parseYaml "${config_file}" | grep "nodes_server_[0-9]_ip=" | cut -d = -f 2) )" eval "dashboard_node_ips=( $(cert_parseYaml "${config_file}" | grep "nodes_dashboard_[0-9]_ip=" | cut -d = -f 2 ) )" eval "server_node_types=( $(cert_parseYaml "${config_file}" | grep "nodes_server_[0-9]_node_type=" | cut -d = -f 2 ) )" eval "number_server_ips=( $(cert_parseYaml "${config_file}" | grep -o -E 'nodes_server_[0-9]_ip' | sort -u | wc -l) )" for i in $(seq 1 ${number_server_ips}); do string='nodes__server__' nodes_server="${string}""${i}" eval "server_node_ip_$i=( $( cert_parseYaml config.yml | grep "${nodes_server}" | sed '/\./!d' | cut -d = -f 2 | sed -r 's/\s+//g') )" done ````

Output

```` Indexer node names: indexer indexer2 Server node names: server server2 server3 Dashboard node names: dashboard dashboard2 Indexer node ips: 127.0.0.1 127.0.0.20 Server node ips: 127.0.0.1 127.0.0.2 127.0.0.4 127.0.0.3 127.0.0.10 Dashboard node ips: 127.0.0.1 127.0.0.12 Server node types: master worker worker Number of servers: 3 Server 1: 127.0.0.1 127.0.0.2 127.0.0.4 Server 2: 127.0.0.3 Server 3: 127.0.0.10 ````

Now that all of this is done, we need to make some changes in the cert_generateCertificateconfiguration function. Right now our certificates file looks like this.

        [ req ]
        prompt = no
        default_bits = 2048
        default_md = sha256
        distinguished_name = req_distinguished_name
        x509_extensions = v3_req

        [req_distinguished_name]
        C = US
        L = California
        O = Wazuh
        OU = Wazuh
        CN = cname

        [ v3_req ]
        authorityKeyIdentifier=keyid,issuer
        basicConstraints = CA:FALSE
        keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
        subjectAltName = @alt_names

        [alt_names]
        IP.1 = cip

It has to be changed to include more IPs in the alt_names section.

Goals

[x] Change the function that parses .yml files.
[x] Adapt the variables to the new function.
[x] Make the cert-tool capable of using multiple IPs.
[x] Make sure that certificates are created correctly.
[x] Improve what has been done(remove unnecessary calls, see if some things can be done better).

TESTS

wazuh-certs-tool.sh

config.yml ```` nodes: indexer: - name: indexer ip: 127.0.0.1 server: - name: server ip: 127.0.0.1 ip: 127.0.0.2 ip: google.com ip: 127.0.0.4 ip: wazuh.com node_type: master - name: server2 ip: 127.0.0.3 node_type: worker - name: server3 ip: 127.0.0.10 node_type: worker dashboard: - name: dashboard ip: 127.0.0.1 - name: dashboard2 ip: 127.0.0.12 ```` ```` [vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -A 31/08/2022 07:12:20 INFO: Admin certificates created. 31/08/2022 07:12:21 INFO: Wazuh indexer certificates created. 31/08/2022 07:12:21 INFO: Wazuh server certificates created. 31/08/2022 07:12:21 INFO: Wazuh dashboard certificates created. [vagrant@centos7 ~]$ ls wazuh-certificates/ admin-key.pem indexer-key.pem server2-key.pem server-key.pem admin.pem indexer.pem server2.pem server.pem dashboard-key.pem root-ca.key server3-key.pem dashboard.pem root-ca.pem server3.pem ```` ```` [vagrant@centos7 wazuh-certificates]$ openssl x509 -in server.pem -noout -text X509v3 Subject Alternative Name: IP Address:127.0.0.1, IP Address:127.0.0.2, DNS:google.com, IP Address:127.0.0.4, DNS:wazuh.com ```` ```` [vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -wi certs/root-ca.key certs/root-ca.pem 31/08/2022 07:14:08 INFO: Wazuh indexer certificates created. [vagrant@centos7 ~]$ ls wazuh-certificates/ indexer-key.pem indexer.pem root-ca.key root-ca.pem [vagrant@centos7 ~]$ rm -rf wazuh-certificates/ [vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -ws certs/root-ca.key certs/root-ca.pem 31/08/2022 07:14:23 INFO: Wazuh server certificates created. [vagrant@centos7 ~]$ ls wazuh-certificates/ root-ca.key server2-key.pem server3-key.pem server-key.pem root-ca.pem server2.pem server3.pem server.pem [vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -a certs/root-ca.key certs/root-ca.pem 31/08/2022 07:14:45 INFO: Admin certificates created. [vagrant@centos7 ~]$ ls wazuh-certificates/ admin-key.pem admin.pem root-ca.key root-ca.pem [vagrant@centos7 ~]$ rm -rf wazuh-certificates/ [vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -wd certs/root-ca.key certs/root-ca.pem 31/08/2022 07:15:03 INFO: Wazuh dashboard certificates created. [vagrant@centos7 ~]$ ls wazuh-certificates/ dashboard-key.pem dashboard.pem root-ca.key root-ca.pem ```` Invalid IP in config.yml ```` [vagrant@centos7 ~]$ bash wazuh-certs-tool.sh -A 31/08/2022 07:17:44 INFO: Admin certificates created. 31/08/2022 07:17:44 INFO: Wazuh indexer certificates created. 31/08/2022 07:17:44 ERROR: Invalid IP or DNS 127.0.0. ```` config.yml ```` nodes: indexer: - name: indexer ip: 127.0.0.1 - name: indexer2 ip: test.com server: - name: server ip: 127.0.0.1 ip: 127.0.0.2 ip: 127.0.0.3 ip: wazuh.com ip: test.hopto.org node_type: master - name: server2 ip: 127.0.0.4 ip: 127.0.0.5 node_type: worker dashboard: - name: dashboard ip: 127.0.0.1 ```` Ouput function parse yml: ```` nodes_indexer_1="indexer" nodes_indexer_1_ip="127.0.0.1" nodes_indexer_2="indexer2" nodes_indexer_2_ip="test.com" nodes_server_1="server" nodes_server_1_ip="127.0.0.1" nodes_server_1_ip="127.0.0.2" nodes_server_1_ip="127.0.0.3" nodes_server_1_ip="wazuh.com" nodes_server_1_ip="test.hopto.org" nodes_server_1_node_type="master" nodes_server_2="server2" nodes_server_2_ip="127.0.0.4" nodes_server_2_ip="127.0.0.5" nodes_server_2_node_type="worker" nodes_dashboard_1="dashboard" nodes_dashboard_1_ip="127.0.0.1" nodes_dashboard_=" nodes_dashboard_1" nodes_indexer_1_=" nodes_indexer_1_ip" nodes_indexer_2_=" nodes_indexer_2_ip" nodes_=" nodes_indexer nodes_server nodes_dashboard" nodes_dashboard_1_=" nodes_dashboard_1_ip" nodes_server_1_=" nodes_server_1_ip nodes_server_1_node_type" nodes_server_2_=" nodes_server_2_ip nodes_server_2_node_type" nodes_indexer_=" nodes_indexer_1 nodes_indexer_2" __=" nodes" nodes_server_=" nodes_server_1 nodes_server_2" ````

wazuh-install.sh

```` [root@ip-172-31-8-198 ec2-user]# bash wazuh-install.sh -a 31/08/2022 08:11:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 31/08/2022 08:11:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log 31/08/2022 08:11:17 INFO: Wazuh development repository added. 31/08/2022 08:11:17 INFO: --- Configuration files --- 31/08/2022 08:11:17 INFO: Generating configuration files. 31/08/2022 08:11:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 31/08/2022 08:11:19 INFO: --- Wazuh indexer --- 31/08/2022 08:11:19 INFO: Starting Wazuh indexer installation. 31/08/2022 08:12:20 INFO: Wazuh indexer installation finished. 31/08/2022 08:12:20 INFO: Wazuh indexer post-install configuration finished. 31/08/2022 08:12:20 INFO: Starting service wazuh-indexer. 31/08/2022 08:12:33 INFO: wazuh-indexer service started. 31/08/2022 08:12:33 INFO: Initializing Wazuh indexer cluster security settings. 31/08/2022 08:12:38 INFO: Wazuh indexer cluster initialized. 31/08/2022 08:12:38 INFO: --- Wazuh server --- 31/08/2022 08:12:38 INFO: Starting the Wazuh manager installation. 31/08/2022 08:12:58 INFO: Wazuh manager installation finished. 31/08/2022 08:12:58 INFO: Starting service wazuh-manager. 31/08/2022 08:13:14 INFO: wazuh-manager service started. 31/08/2022 08:13:14 INFO: Starting Filebeat installation. 31/08/2022 08:13:27 INFO: Filebeat installation finished. 31/08/2022 08:13:28 INFO: Filebeat post-install configuration finished. 31/08/2022 08:13:28 INFO: Starting service filebeat. 31/08/2022 08:13:28 INFO: filebeat service started. 31/08/2022 08:13:28 INFO: --- Wazuh dashboard --- 31/08/2022 08:13:28 INFO: Starting Wazuh dashboard installation. 31/08/2022 08:14:35 INFO: Wazuh dashboard installation finished. 31/08/2022 08:14:35 INFO: Wazuh dashboard post-install configuration finished. 31/08/2022 08:14:35 INFO: Starting service wazuh-dashboard. 31/08/2022 08:14:36 INFO: wazuh-dashboard service started. 31/08/2022 08:15:00 INFO: Initializing Wazuh dashboard web application. 31/08/2022 08:15:00 INFO: Wazuh dashboard web application initialized. 31/08/2022 08:15:00 INFO: --- Summary --- 31/08/2022 08:15:00 INFO: You can access the web interface https:// User: admin Password: au1P6q+tXK0WJJVuN6KJ.b03ev.JKa11 31/08/2022 08:15:00 INFO: Installation finished. ```` distributed ```` [root@ip-172-31-8-198 ec2-user]# bash wazuh-install.sh -wi node-1 01/09/2022 06:10:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 01/09/2022 06:10:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log 01/09/2022 06:10:10 INFO: Wazuh development repository added. 01/09/2022 06:10:10 INFO: --- Wazuh indexer --- 01/09/2022 06:10:10 INFO: Starting Wazuh indexer installation. 01/09/2022 06:11:09 INFO: Wazuh indexer installation finished. 01/09/2022 06:11:09 INFO: Wazuh indexer post-install configuration finished. 01/09/2022 06:11:09 INFO: Starting service wazuh-indexer. 01/09/2022 06:11:25 INFO: wazuh-indexer service started. 01/09/2022 06:11:25 INFO: Initializing Wazuh indexer cluster security settings. 01/09/2022 06:11:27 INFO: Wazuh indexer cluster initialized. 01/09/2022 06:11:27 INFO: Installation finished. ```` ```` [root@ip-172-31-8-198 ec2-user]# bash wazuh-install.sh -s 01/09/2022 06:12:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 01/09/2022 06:12:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log 01/09/2022 06:12:35 INFO: Wazuh indexer cluster security configuration initialized. 01/09/2022 06:12:45 INFO: Wazuh indexer cluster started. ```` ```` [root@ip-172-31-11-12 ec2-user]# bash w.sh -ws wazuh-1 01/09/2022 06:13:00 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 01/09/2022 06:13:00 INFO: Verbose logging redirected to /var/log/wazuh-install.log 01/09/2022 06:13:06 INFO: Wazuh development repository added. 01/09/2022 06:13:06 INFO: --- Wazuh server --- 01/09/2022 06:13:06 INFO: Starting the Wazuh manager installation. 01/09/2022 06:13:29 INFO: Wazuh manager installation finished. 01/09/2022 06:13:29 INFO: Starting service wazuh-manager. 01/09/2022 06:13:45 INFO: wazuh-manager service started. 01/09/2022 06:13:45 INFO: Starting Filebeat installation. 01/09/2022 06:14:08 INFO: Filebeat installation finished. 01/09/2022 06:14:09 INFO: Filebeat post-install configuration finished. 01/09/2022 06:14:14 INFO: Starting service filebeat. 01/09/2022 06:14:14 INFO: filebeat service started. 01/09/2022 06:14:14 INFO: Installation finished. ```` ```` [root@ip-172-31-4-239 ec2-user]# bash w.sh -wd dashboard 01/09/2022 06:14:44 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0 01/09/2022 06:14:44 INFO: Verbose logging redirected to /var/log/wazuh-install.log 01/09/2022 06:14:50 INFO: Wazuh development repository added. dashboard 01/09/2022 06:14:50 INFO: --- Wazuh dashboard ---- 01/09/2022 06:14:50 INFO: Starting Wazuh dashboard installation. 01/09/2022 06:15:57 INFO: Wazuh dashboard installation finished. 01/09/2022 06:15:57 INFO: Wazuh dashboard post-install configuration finished. 01/09/2022 06:15:57 INFO: Starting service wazuh-dashboard. 01/09/2022 06:15:57 INFO: wazuh-dashboard service started. 01/09/2022 06:16:17 INFO: Initializing Wazuh dashboard web application. 01/09/2022 06:16:18 INFO: Wazuh dashboard web application initialized. 01/09/2022 06:16:18 INFO: --- Summary --- 01/09/2022 06:16:18 INFO: You can access the web interface https://172.31.4.239 User: admin Password: xd4k865LFTaB8*AGtTA?wZWmYPUfrcVG 01/09/2022 06:16:18 INFO: Installation finished. ````

wazuh-passwords-tool.sh

```` [root@ip-172-31-8-198 ec2-user]# bash wazuh-passwords-tool.sh -a 01/09/2022 06:17:51 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. 01/09/2022 06:17:58 INFO: The password for user admin is U38Ca+dXVEX6.upBR*pKGvCRRNE0?ry+ 01/09/2022 06:17:58 INFO: The password for user kibanaserver is 63IddxTjYI5Ns*7bB.r67W*BXqK.GWP8 01/09/2022 06:17:58 INFO: The password for user kibanaro is 7.trwgAcUc9gh9+A7yrAD4pvbtYIyLLn 01/09/2022 06:17:58 INFO: The password for user logstash is U+0DOCl4zWj*2*akn6Zpil7saFJyIVvI 01/09/2022 06:17:58 INFO: The password for user readall is TWlJs.k*.?4yM8wZK2tRLpzSHZGP8Hu1 01/09/2022 06:17:58 INFO: The password for user snapshotrestore is tmzCIituT7PniL1xQPEQmQ0MaPmIIbe* 01/09/2022 06:17:58 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. ```` ```` [root@ip-172-31-11-12 ec2-user]# bash wazuh-passwords-tool.sh -au wazuh -ap yeIwiJZzH31bjgIDm75r0Un.NsA4J.3. -u wazuh -p x8h4ElfbLLSP?JRIorTRFdFnv2.8qGci -A 01/09/2022 06:21:35 INFO: The password for Wazuh API user wazuh is x8h4ElfbLLSP?JRIorTRFdFnv2.8qGci ````

wazuh / wazuh-packages

The wazuh-cert-tool does not admit multiple IPs #1573

Update

Goals

TESTS