search

wazuh / wazuh-virtual-machines

Wazuh - Virtual Machines (OVA and AMI)
https://wazuh.com/
GNU General Public License v2.0
0 stars 0 forks source link

Improvements to AMI customization script #98

Open c-bordon opened 1 day ago

c-bordon commented 1 day ago

close https://github.com/wazuh/wazuh-virtual-machines/issues/92

Description

Because AWS had some issues with the customization of the AMI causing them to be unable to access the VM, we made some changes to the customization script, creating specific functions and adding checkpoints to validate the operation of the services after the certificate changes.

Tests

VM 1:

Boot Time ```console cbordon@cbordon-MS-7C88:~/Downloads$ while ! ssh -i cbordon-testing-key.pem -o StrictHostKeyChecking=no wazuh-user@52.87.170.31 exit; do echo "$(date): Retrying..."; sleep 5; done Warning: Permanently added '52.87.170.31' (ED25519) to the list of known hosts. wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:01 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:07 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:14 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:20 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:27 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:34 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:40 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:47 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:28:53 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:00 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:07 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:13 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:20 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:27 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:33 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:40 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:46 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:29:53 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:30:00 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:30:06 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:30:13 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:30:19 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:30:26 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:30:33 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:30:40 -03: Retrying... wazuh-user@52.87.170.31: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 08:30:46 -03: Retrying... cbordon@cbordon-MS-7C88:~/Downloads$ ssh -i cbordon-testing-key.pem -o StrictHostKeyChecking=no wazuh-user@52.87.170.31 Last login: Mon Oct 21 19:28:53 2024 from 74.235.127.200 wwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwww. wwwwwwwww. wwwwwww. wwwwwww. wwwwwwwww. wwwwwww. wwwwww. wwwwwwwwwww. wwwwwww. wwwwwww. wwwwwwwwwww. wwwwwww. wwwwww. wwwwww.wwwwww. wwwwwww. wwwwwww. wwwww. wwwwww. wwwwwww. wwwwww. wwwwww. wwwwww. wwwwwww. wwwwwww. wwwww. wwwwww. wwwwwww. wwwwww. wwwwww. wwwwww.wwwwwww. wwwwwww.wwwww. wwwwww.wwwwwww. wwwwwwwwwwww. wwwwwwwwwwww. wwwwwwwwwww. wwwwwwwwwwww. oooooo wwwwwwwwww. wwwwwwwwww. oooooooo wwwwwwwww. wwwwwwwwww. oooooooooo wwwwwwww. wwwwwwww. oooooooooo wwwwwww. wwwwwwww. oooooooo wwwwww. wwwwww. oooooo WAZUH Open Source Security Platform https://wazuh.com [wazuh-user@wazuh-server ~]$ ```
Log files ```console [wazuh-user@wazuh-server ~]$ ls -la /var/log/ total 312 drwxr-xr-x 9 root root 4096 oct 22 11:30 . drwxr-xr-x 20 root root 282 oct 21 19:28 .. drwxr-xr-x 3 root root 17 sep 30 2021 amazon drwx------ 2 root root 23 sep 30 2021 audit -rw------- 1 root root 8948 oct 22 11:52 boot.log -rw------- 1 root root 0 oct 21 19:28 boot.log-20220428 -rw------- 1 root utmp 0 oct 21 19:28 btmp -rw------- 1 root utmp 0 oct 21 19:28 btmp-20220428 drwxr-x--- 2 chrony chrony 72 oct 21 19:23 chrony -rw-r--r-- 1 root root 98202 oct 22 11:27 cloud-init.log -rw-r----- 1 root root 3307 oct 22 11:27 cloud-init-output.log -rw------- 1 root root 783 oct 22 11:50 cron -rw------- 1 root root 0 oct 21 19:28 cron-20220428 -rw-r--r-- 1 root root 29285 oct 22 11:27 dmesg -rw-r--r-- 1 root root 0 oct 21 19:28 dmesg.old drw------- 2 root root 148 oct 22 11:30 filebeat -rw------- 1 root root 0 oct 21 19:28 grubby -rw-r--r-- 1 root root 0 oct 21 19:28 grubby_prune_debug drwxr-sr-x+ 3 root systemd-journal 46 sep 30 2021 journal -rw-r--r-- 1 root root 292584 oct 22 11:54 lastlog -rw------- 1 root root 1245 oct 22 11:30 maillog -rw------- 1 root root 0 oct 21 19:28 maillog-20220428 -rw------- 1 root root 112500 oct 22 11:55 messages -rw------- 1 root root 0 oct 21 19:28 messages-20220428 drwxr-xr-x 2 root root 78 oct 22 11:27 sa -rw------- 1 root root 9543 oct 22 11:54 secure -rw------- 1 root root 0 oct 21 19:28 secure-20220428 -rw------- 1 root root 0 oct 21 19:28 spooler -rw------- 1 root root 0 oct 21 19:28 spooler-20220428 -rw------- 1 root root 0 oct 21 19:28 tallylog drwxr-x--- 3 wazuh-indexer wazuh-indexer 4096 oct 22 11:29 wazuh-indexer -rw-rw-r-- 1 root utmp 7296 oct 22 11:54 wtmp -rw------- 1 root root 0 oct 21 19:28 yum.log -rw------- 1 root root 0 oct 21 19:28 yum.log-20220428 [wazuh-user@wazuh-server ~]$ ```
wazuh.yml file ```console [root@wazuh-server ~]# cat /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml --- # # App configuration file # Copyright (C) 2015-2024 Wazuh, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Find more information about this on the LICENSE file. # # =========================== App configuration file =========================== # # Please check the documentation for more information about configuration options: # https://documentation.wazuh.com/4.9/user-manual/wazuh-dashboard/config-file.html # # Also, you can check our repository: # https://github.com/wazuh/wazuh-dashboard-plugins # # ---------------------------------- General ----------------------------------- # # Basic app settings related to alerts index pattern, hide the manager alerts in # the dashboards, logs level and more. # # Define the index name prefix of sample alerts. It must match the template used # by the index pattern to avoid unknown fields in dashboards. # alerts.sample.prefix: wazuh-alerts-4.x- # # Enable or disable the ability to edit the configuration from UI or API # endpoints. When disabled, this can only be edited from the configuration file, # the related API endpoints are disabled, and the UI is inaccessible. Allowed # values: true, false. # configuration.ui_api_editable: true # # Define the index prefix of predefined jobs. # cron.prefix: wazuh # # Specifies the Wazuh registration server, used for the agent enrollment. # enrollment.dns: '' # # Specifies the password used to authenticate during the agent enrollment. # enrollment.password: "I-0a97a1a328372ad51" # # Hide the alerts of the manager in every dashboard. Allowed values: true, false. # hideManagerAlerts: false # # Disable certain index pattern names from being available in index pattern # selector. # ip.ignore: [] # # Define if the user is allowed to change the selected index pattern directly from # the top menu bar. Allowed values: true, false. # ip.selector: true # # Default index pattern to use on the app. If there's no valid index pattern, the # app will automatically create one with the name indicated in this option. # pattern: wazuh-alerts-* # # Maximum time, in milliseconds, the app will wait for an API response when making # requests to it. It will be ignored if the value is set under 1500 milliseconds. # Minimum value: 1500. # timeout: 20000 # # Define if the check updates service is active. Allowed values: true, false. # wazuh.updates.disabled: false # # -------------------------------- Health check -------------------------------- # # Checks will be executed by the app's Healthcheck. # # Enable or disable the API health check when opening the app. Allowed values: # true, false. # checks.api: true # # Enable or disable the known fields health check when opening the app. Allowed # values: true, false. # checks.fields: true # # Change the default value of the plugin platform max buckets configuration. # Allowed values: true, false. # checks.maxBuckets: true # # Change the default value of the plugin platform metaField configuration. Allowed # values: true, false. # checks.metaFields: true # # Enable or disable the index pattern health check when opening the app. Allowed # values: true, false. # checks.pattern: true # # Enable or disable the setup health check when opening the app. Allowed values: # true, false. # checks.setup: true # # Enable or disable the template health check when opening the app. Allowed # values: true, false. # checks.template: true # # Change the default value of the plugin platform timeFilter configuration. # Allowed values: true, false. # checks.timeFilter: true # # ------------------------------ Task:Monitoring ------------------------------- # # Options related to the agent status monitoring job and its storage in indexes. # # Define the interval in which a new wazuh-monitoring index will be created. # Allowed values: h (Hourly), d (Daily), w (Weekly), m (Monthly). # wazuh.monitoring.creation: w # # Enable or disable the wazuh-monitoring index creation and/or visualization. # Allowed values: true, false. # wazuh.monitoring.enabled: true # # Frequency, in seconds, of API requests to get the state of the agents and create # a new document in the wazuh-monitoring index with this data. Minimum value: 60. # wazuh.monitoring.frequency: 900 # # Default index pattern to use for Wazuh monitoring. # wazuh.monitoring.pattern: wazuh-monitoring-* # # Define the number of replicas to use for the wazuh-monitoring-* indices. Minimum # value: 0. # wazuh.monitoring.replicas: 0 # # Define the number of shards to use for the wazuh-monitoring-* indices. Minimum # value: 1. # wazuh.monitoring.shards: 1 # # ------------------------------ Task:Statistics ------------------------------- # # Options related to the daemons manager monitoring job and their storage in # indexes. # # Enter the ID of the hosts you want to save data from, leave this empty to run # the task on every host. # cron.statistics.apis: [] # # Define the interval in which a new index will be created. Allowed values: h # (Hourly), d (Daily), w (Weekly), m (Monthly). # cron.statistics.index.creation: w # # Define the name of the index in which the documents will be saved. # cron.statistics.index.name: statistics # # Define the number of replicas to use for the statistics indices. Minimum value: # 0. # cron.statistics.index.replicas: 0 # # Define the number of shards to use for the statistics indices. Minimum value: 1. # cron.statistics.index.shards: 1 # # Define the frequency of task execution using cron schedule expressions. # cron.statistics.interval: 0 */5 * * * * # # Enable or disable the statistics tasks. Allowed values: true, false. # cron.statistics.status: true # # ------------------------------ Vulnerabilities ------------------------------- # # Options related to the agent vulnerabilities monitoring job and its storage in # indexes. # # Default index pattern to use for vulnerabilities. # vulnerabilities.pattern: wazuh-states-vulnerabilities-* # # ------------------------------ Custom branding ------------------------------- # # If you want to use custom branding elements such as logos, you can do so by # editing the settings below. # # Enable or disable the customization. Allowed values: true, false. # customization.enabled: true # # This logo is used as loading indicator while the user is logging into Wazuh API. # Supported extensions: .jpeg, .jpg, .png, .svg. Recommended dimensions: # 300x70px. Maximum file size: 1 MB. # customization.logo.app: '' # # This logo is displayed during the Healthcheck routine of the app. Supported # extensions: .jpeg, .jpg, .png, .svg. Recommended dimensions: 300x70px. Maximum # file size: 1 MB. # customization.logo.healthcheck: '' # # This logo is used in the PDF reports generated by the app. It's placed at the # top left corner of every page of the PDF. Supported extensions: .jpeg, .jpg, # .png. Recommended dimensions: 190x40px. Maximum file size: 1 MB. # customization.logo.reports: '' # # Set the footer of the reports. Maximum amount of lines: 2. Maximum lines length # is 50 characters. # customization.reports.footer: '' # # Set the header of the reports. Maximum amount of lines: 3. Maximum lines length # is 40 characters. # customization.reports.header: '' # # ------------------------------ API connections ------------------------------- # # Options related to the API connections. # # Configure the API connections. # The following configuration is the default structure to define a host. # # hosts: # # Host ID / name, # - env-1: # # Host URL # url: https://env-1.example # # Host / API port # port: 55000 # # Host / API username # username: wazuh-wui # # Host / API password # password: "I-0a97a1a328372ad51" # # Use RBAC or not. If set to true, the username must be "wazuh-wui". # run_as: true # - env-2: # url: https://env-2.example # port: 55000 # username: wazuh-wui # password: "I-0a97a1a328372ad51" # run_as: true hosts: - default: url: https://127.0.0.1 port: 55000 username: wazuh-wui password: "I-0a97a1a328372ad51" run_as: false [root@wazuh-server ~]# ```
root-ca.pem ```console [root@wazuh-server ~]# ls -la /etc/wazuh-indexer/certs/ total 24 dr-x------ 2 wazuh-indexer wazuh-indexer 117 Oct 22 11:29 . drwxr-x--- 11 wazuh-indexer wazuh-indexer 4096 Oct 22 11:30 .. -r-------- 1 wazuh-indexer wazuh-indexer 1704 Oct 22 11:29 admin-key.pem -r-------- 1 wazuh-indexer wazuh-indexer 1107 Oct 22 11:29 admin.pem -r-------- 1 wazuh-indexer wazuh-indexer 1184 Oct 22 11:29 root-ca.pem -r-------- 1 wazuh-indexer wazuh-indexer 1704 Oct 22 11:29 wazuh-indexer-key.pem -r-------- 1 wazuh-indexer wazuh-indexer 1229 Oct 22 11:29 wazuh-indexer.pem [root@wazuh-server ~]# cat /etc/wazuh-indexer/certs/root-ca.pem -----BEGIN CERTIFICATE----- MIIDPTCCAiWgAwIBAgIJAJq0A9j+6J6LMA0GCSqGSIb3DQEBCwUAMDUxDjAMBgNV BAsMBVdhenVoMQ4wDAYDVQQKDAVXYXp1aDETMBEGA1UEBwwKQ2FsaWZvcm5pYTAe Fw0yNDEwMjIxMTI5MTNaFw0zNDEwMjAxMTI5MTNaMDUxDjAMBgNVBAsMBVdhenVo MQ4wDAYDVQQKDAVXYXp1aDETMBEGA1UEBwwKQ2FsaWZvcm5pYTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAL/qUIT5ILrj8ITOGKuXZEJsbHd1Umn/e5RU lZudKUSZUeLnb0Zl8V8+uk3ZQiWt2Ip2AaB8zaooF7Cjx2Eb4MIdUw1vq5oNIliI we0Z5Xcs6QJ2lmIiaA3mCp/Id4jSiAGZgkhqaQ76Ea1StHk9tpyJ1g0HlsITgkwG mhYnhvsHU5LeKJcgVEzllE3kXcjVxugx9O+uRE4iaLyNq8W8IeWeS5hocHuJaqeD JNvgT7+kax2rTVIdncMwcIAeJ/5fdQwoOWEWtXfHXBoGKMsgKKUZ66vMeJ+KbA46 YuvVdPgHMIbJiMh7UR3YQq1+GzsotBLjpJPKv6A+mIK65FUPTvsCAwEAAaNQME4w HQYDVR0OBBYEFGQnQO24ygrJ5g3ANDE9x1TV1alqMB8GA1UdIwQYMBaAFGQnQO24 ygrJ5g3ANDE9x1TV1alqMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AFbF5v3wd+zhkC9Wcue6KZcaGomjt5QQGoWACRuQtfL8qs92DPYIC4aFugAYYCCx KT8Rta9TTcfu1AWeLgXoy77xoLDaOTNRElIaltUXndX2PS368Dk6Q7bX3W8zdYwJ NzhXMVo+CsEKj2ySDBVpz/MuLJN2xUUgWHlANHIE5ibuqILIxjDxFHoMsqtFtoa+ HFlWG0aDpem2kB9YyQgkBCNHnB7mV8pk3nH1ffzcZvlj9s6Ia/gjZSB1JokN90IG GmogjkZbnxCb1ESVFr2mWr4Fac5CevowYk5BSkpCxewM9dkktYvvjmGS/Wb1TXGI HQt7mh3jBM9P7NNJGepw/0Y= -----END CERTIFICATE----- [root@wazuh-server ~]# ```

Screenshot_20241022_095807

VM 2:

Boot Time ```console cbordon@cbordon-MS-7C88:~/Downloads$ while ! ssh -i cbordon-testing-key.pem -o StrictHostKeyChecking=no wazuh-user@3.80.203.189 exit; do echo "$(date): Retrying..."; sleep 5; done Warning: Permanently added '3.80.203.189' (ED25519) to the list of known hosts. wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:43:20 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:43:27 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:43:33 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:43:40 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:43:47 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:43:53 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:00 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:06 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:13 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:20 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:26 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:33 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:39 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:46 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:53 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:44:59 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:06 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:13 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:19 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:26 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:32 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:39 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:46 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:52 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:45:59 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:46:05 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:46:12 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:46:19 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:46:25 -03: Retrying... wazuh-user@3.80.203.189: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). mar 22 oct 2024 09:46:32 -03: Retrying... cbordon@cbordon-MS-7C88:~/Downloads$ ssh -i cbordon-testing-key.pem -o StrictHostKeyChecking=no wazuh-user@3.80.203.189 Last login: Mon Oct 21 19:28:53 2024 from 74.235.127.200 wwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwwww. wwwwww. wwwwwwwww. wwwwwww. wwwwwww. wwwwwwwww. wwwwwww. wwwwww. wwwwwwwwwww. wwwwwww. wwwwwww. wwwwwwwwwww. wwwwwww. wwwwww. wwwwww.wwwwww. wwwwwww. wwwwwww. wwwww. wwwwww. wwwwwww. wwwwww. wwwwww. wwwwww. wwwwwww. wwwwwww. wwwww. wwwwww. wwwwwww. wwwwww. wwwwww. wwwwww.wwwwwww. wwwwwww.wwwww. wwwwww.wwwwwww. wwwwwwwwwwww. wwwwwwwwwwww. wwwwwwwwwww. wwwwwwwwwwww. oooooo wwwwwwwwww. wwwwwwwwww. oooooooo wwwwwwwww. wwwwwwwwww. oooooooooo wwwwwwww. wwwwwwww. oooooooooo wwwwwww. wwwwwwww. oooooooo wwwwww. wwwwww. oooooo WAZUH Open Source Security Platform https://wazuh.com [wazuh-user@wazuh-server ~]$ ```
Log files ```console [root@wazuh-server ~]# ls -la /var/log/ total 320 drwxr-xr-x 9 root root 4096 Oct 22 12:46 . drwxr-xr-x 20 root root 282 Oct 21 19:28 .. drwxr-xr-x 3 root root 17 Sep 30 2021 amazon drwx------ 2 root root 23 Sep 30 2021 audit -rw------- 1 root root 8718 Oct 22 12:43 boot.log -rw------- 1 root root 0 Oct 21 19:28 boot.log-20220428 -rw------- 1 root utmp 384 Oct 22 12:43 btmp -rw------- 1 root utmp 0 Oct 21 19:28 btmp-20220428 drwxr-x--- 2 chrony chrony 72 Oct 21 19:23 chrony -rw-r--r-- 1 root root 98202 Oct 22 12:43 cloud-init.log -rw-r----- 1 root root 3307 Oct 22 12:43 cloud-init-output.log -rw------- 1 root root 549 Oct 22 12:47 cron -rw------- 1 root root 0 Oct 21 19:28 cron-20220428 -rw-r--r-- 1 root root 29262 Oct 22 12:43 dmesg -rw-r--r-- 1 root root 0 Oct 21 19:28 dmesg.old drw------- 2 root root 148 Oct 22 12:46 filebeat -rw------- 1 root root 0 Oct 21 19:28 grubby -rw-r--r-- 1 root root 0 Oct 21 19:28 grubby_prune_debug drwxr-sr-x+ 3 root systemd-journal 46 Sep 30 2021 journal -rw-r--r-- 1 root root 292584 Oct 22 12:48 lastlog -rw------- 1 root root 901 Oct 22 12:46 maillog -rw------- 1 root root 0 Oct 21 19:28 maillog-20220428 -rw------- 1 root root 106501 Oct 22 12:48 messages -rw------- 1 root root 0 Oct 21 19:28 messages-20220428 drwxr-xr-x 2 root root 78 Oct 22 12:43 sa -rw------- 1 root root 9861 Oct 22 12:48 secure -rw------- 1 root root 0 Oct 21 19:28 secure-20220428 -rw------- 1 root root 0 Oct 21 19:28 spooler -rw------- 1 root root 0 Oct 21 19:28 spooler-20220428 -rw------- 1 root root 0 Oct 21 19:28 tallylog drwxr-x--- 3 wazuh-indexer wazuh-indexer 4096 Oct 22 12:44 wazuh-indexer -rw-rw-r-- 1 root utmp 7296 Oct 22 12:48 wtmp -rw------- 1 root root 0 Oct 21 19:28 yum.log -rw------- 1 root root 0 Oct 21 19:28 yum.log-20220428 [root@wazuh-server ~]# ```
wazuh.yml file ```console [root@wazuh-server ~]# cat /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml --- # # App configuration file # Copyright (C) 2015-2024 Wazuh, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Find more information about this on the LICENSE file. # # =========================== App configuration file =========================== # # Please check the documentation for more information about configuration options: # https://documentation.wazuh.com/4.9/user-manual/wazuh-dashboard/config-file.html # # Also, you can check our repository: # https://github.com/wazuh/wazuh-dashboard-plugins # # ---------------------------------- General ----------------------------------- # # Basic app settings related to alerts index pattern, hide the manager alerts in # the dashboards, logs level and more. # # Define the index name prefix of sample alerts. It must match the template used # by the index pattern to avoid unknown fields in dashboards. # alerts.sample.prefix: wazuh-alerts-4.x- # # Enable or disable the ability to edit the configuration from UI or API # endpoints. When disabled, this can only be edited from the configuration file, # the related API endpoints are disabled, and the UI is inaccessible. Allowed # values: true, false. # configuration.ui_api_editable: true # # Define the index prefix of predefined jobs. # cron.prefix: wazuh # # Specifies the Wazuh registration server, used for the agent enrollment. # enrollment.dns: '' # # Specifies the password used to authenticate during the agent enrollment. # enrollment.password: "I-0c0b1fe7cec89c0a1" # # Hide the alerts of the manager in every dashboard. Allowed values: true, false. # hideManagerAlerts: false # # Disable certain index pattern names from being available in index pattern # selector. # ip.ignore: [] # # Define if the user is allowed to change the selected index pattern directly from # the top menu bar. Allowed values: true, false. # ip.selector: true # # Default index pattern to use on the app. If there's no valid index pattern, the # app will automatically create one with the name indicated in this option. # pattern: wazuh-alerts-* # # Maximum time, in milliseconds, the app will wait for an API response when making # requests to it. It will be ignored if the value is set under 1500 milliseconds. # Minimum value: 1500. # timeout: 20000 # # Define if the check updates service is active. Allowed values: true, false. # wazuh.updates.disabled: false # # -------------------------------- Health check -------------------------------- # # Checks will be executed by the app's Healthcheck. # # Enable or disable the API health check when opening the app. Allowed values: # true, false. # checks.api: true # # Enable or disable the known fields health check when opening the app. Allowed # values: true, false. # checks.fields: true # # Change the default value of the plugin platform max buckets configuration. # Allowed values: true, false. # checks.maxBuckets: true # # Change the default value of the plugin platform metaField configuration. Allowed # values: true, false. # checks.metaFields: true # # Enable or disable the index pattern health check when opening the app. Allowed # values: true, false. # checks.pattern: true # # Enable or disable the setup health check when opening the app. Allowed values: # true, false. # checks.setup: true # # Enable or disable the template health check when opening the app. Allowed # values: true, false. # checks.template: true # # Change the default value of the plugin platform timeFilter configuration. # Allowed values: true, false. # checks.timeFilter: true # # ------------------------------ Task:Monitoring ------------------------------- # # Options related to the agent status monitoring job and its storage in indexes. # # Define the interval in which a new wazuh-monitoring index will be created. # Allowed values: h (Hourly), d (Daily), w (Weekly), m (Monthly). # wazuh.monitoring.creation: w # # Enable or disable the wazuh-monitoring index creation and/or visualization. # Allowed values: true, false. # wazuh.monitoring.enabled: true # # Frequency, in seconds, of API requests to get the state of the agents and create # a new document in the wazuh-monitoring index with this data. Minimum value: 60. # wazuh.monitoring.frequency: 900 # # Default index pattern to use for Wazuh monitoring. # wazuh.monitoring.pattern: wazuh-monitoring-* # # Define the number of replicas to use for the wazuh-monitoring-* indices. Minimum # value: 0. # wazuh.monitoring.replicas: 0 # # Define the number of shards to use for the wazuh-monitoring-* indices. Minimum # value: 1. # wazuh.monitoring.shards: 1 # # ------------------------------ Task:Statistics ------------------------------- # # Options related to the daemons manager monitoring job and their storage in # indexes. # # Enter the ID of the hosts you want to save data from, leave this empty to run # the task on every host. # cron.statistics.apis: [] # # Define the interval in which a new index will be created. Allowed values: h # (Hourly), d (Daily), w (Weekly), m (Monthly). # cron.statistics.index.creation: w # # Define the name of the index in which the documents will be saved. # cron.statistics.index.name: statistics # # Define the number of replicas to use for the statistics indices. Minimum value: # 0. # cron.statistics.index.replicas: 0 # # Define the number of shards to use for the statistics indices. Minimum value: 1. # cron.statistics.index.shards: 1 # # Define the frequency of task execution using cron schedule expressions. # cron.statistics.interval: 0 */5 * * * * # # Enable or disable the statistics tasks. Allowed values: true, false. # cron.statistics.status: true # # ------------------------------ Vulnerabilities ------------------------------- # # Options related to the agent vulnerabilities monitoring job and its storage in # indexes. # # Default index pattern to use for vulnerabilities. # vulnerabilities.pattern: wazuh-states-vulnerabilities-* # # ------------------------------ Custom branding ------------------------------- # # If you want to use custom branding elements such as logos, you can do so by # editing the settings below. # # Enable or disable the customization. Allowed values: true, false. # customization.enabled: true # # This logo is used as loading indicator while the user is logging into Wazuh API. # Supported extensions: .jpeg, .jpg, .png, .svg. Recommended dimensions: # 300x70px. Maximum file size: 1 MB. # customization.logo.app: '' # # This logo is displayed during the Healthcheck routine of the app. Supported # extensions: .jpeg, .jpg, .png, .svg. Recommended dimensions: 300x70px. Maximum # file size: 1 MB. # customization.logo.healthcheck: '' # # This logo is used in the PDF reports generated by the app. It's placed at the # top left corner of every page of the PDF. Supported extensions: .jpeg, .jpg, # .png. Recommended dimensions: 190x40px. Maximum file size: 1 MB. # customization.logo.reports: '' # # Set the footer of the reports. Maximum amount of lines: 2. Maximum lines length # is 50 characters. # customization.reports.footer: '' # # Set the header of the reports. Maximum amount of lines: 3. Maximum lines length # is 40 characters. # customization.reports.header: '' # # ------------------------------ API connections ------------------------------- # # Options related to the API connections. # # Configure the API connections. # The following configuration is the default structure to define a host. # # hosts: # # Host ID / name, # - env-1: # # Host URL # url: https://env-1.example # # Host / API port # port: 55000 # # Host / API username # username: wazuh-wui # # Host / API password # password: "I-0c0b1fe7cec89c0a1" # # Use RBAC or not. If set to true, the username must be "wazuh-wui". # run_as: true # - env-2: # url: https://env-2.example # port: 55000 # username: wazuh-wui # password: "I-0c0b1fe7cec89c0a1" # run_as: true hosts: - default: url: https://127.0.0.1 port: 55000 username: wazuh-wui password: "I-0c0b1fe7cec89c0a1" run_as: false [root@wazuh-server ~]# ```
root-ca.pem ```console [root@wazuh-server ~]# ls -la /etc/wazuh-indexer/certs/ total 24 dr-x------ 2 wazuh-indexer wazuh-indexer 117 Oct 22 12:44 . drwxr-x--- 11 wazuh-indexer wazuh-indexer 4096 Oct 22 12:46 .. -r-------- 1 wazuh-indexer wazuh-indexer 1704 Oct 22 12:44 admin-key.pem -r-------- 1 wazuh-indexer wazuh-indexer 1107 Oct 22 12:44 admin.pem -r-------- 1 wazuh-indexer wazuh-indexer 1184 Oct 22 12:44 root-ca.pem -r-------- 1 wazuh-indexer wazuh-indexer 1704 Oct 22 12:44 wazuh-indexer-key.pem -r-------- 1 wazuh-indexer wazuh-indexer 1229 Oct 22 12:44 wazuh-indexer.pem [root@wazuh-server ~]# cat /etc/wazuh-indexer/certs/root-ca.pem -----BEGIN CERTIFICATE----- MIIDPTCCAiWgAwIBAgIJAPDVxVZUOJ/2MA0GCSqGSIb3DQEBCwUAMDUxDjAMBgNV BAsMBVdhenVoMQ4wDAYDVQQKDAVXYXp1aDETMBEGA1UEBwwKQ2FsaWZvcm5pYTAe Fw0yNDEwMjIxMjQ0NDlaFw0zNDEwMjAxMjQ0NDlaMDUxDjAMBgNVBAsMBVdhenVo MQ4wDAYDVQQKDAVXYXp1aDETMBEGA1UEBwwKQ2FsaWZvcm5pYTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMOVaCYq4DKXVSe+/orn66A83Wa6g8mUvEB0 qljYT/+4WjRMzbzsCD+93+SA1LXWyaOE9lnTQ5Ra8KA9YTjTk/VR88yt0Hvdh7ih cgj2fSIj8hp5zk4Vu6NDzlsOpGhd5Z+hbN34PpzOJNpAlp5aa5zFx3kRalIcDIy3 zoFg/HdK8kdnQnR8XTwJdJlP4d+i1VFyokIwRjknEMPJCUdTMdg+oSk05X3u8s38 3QuGIGawQu2UvNhxV9CmpJFCtfjy5fq4dOsRCBLoCEx6Z4F4FpmTF1PF431yXORx R86INMrZHt5OqZ4MttY4/uaARU98pebNvOkanjlATKvdkzewLpECAwEAAaNQME4w HQYDVR0OBBYEFLxvLrhXZCOdu0cCTnXr/HVrwWCkMB8GA1UdIwQYMBaAFLxvLrhX ZCOdu0cCTnXr/HVrwWCkMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AKyjYwhfy5OfS+ebu7kFJCVSQAerSlemM5v2jInT7IMOZRFPujdHFWUTIdIOcmZ1 pm57CBEYNplOI5a2ymTePFmArGIS610d7nMrNT1CiWY7jKiRUHG4fM/7AM1vwxlw hoZQE9x4t5XDzrg/98vGpx0fZCOiO/Cso+CU0lcbO1gc2kAOobD+VuQWEv9y9/mU DfSIZDLgI4VDDmJKg2K4Zb3pnCqLOmsc7dRRqp/EhxMmLIehLp5NtgJ/mlsIBcuh sR10Rkjj8Gw8pDMXsMxAyyJ/+k7yJLUMIhCWctbjRX/a508IU/r+hG84BaByQwz7 7eFI5LYuzrc4iVkTt7tnVPg= -----END CERTIFICATE----- [root@wazuh-server ~]# ```

Screenshot_20241022_095930