Wazuh – Securing the API

Dopo aver installato Wazuh, vediamo come mettere in sicurezza l’accesso alle API.

La sicurezza delle API avviene in tre passaggi:

1. abilitare HTTPS come protocollo sicuro;
2. cambiare la porta di default;
3. cambiare le credenziali di default (di feault: username=foo, password=bar).

Viene fornito uno script che permette di effettuare le modifiche suindicate:

# /var/ossec/api/scripts/configure_api.sh

### Wazuh API Configuration ###

TCP port [55000]: 55000
Using TCP port 55000.

Enable HTTPS and generate SSL certificate? [Y/n/s]: Y

Step 1: Create key [Press Enter]
Generating RSA private key, 4096 bit long modulus (2 primes)
..........................................................++++
...............................................................................++++
e is 65537 (0x010001)
Enter pass phrase for server.key: passphrase for server.key
Verifying - Enter pass phrase for server.key: verifying passphrase for server.key
Enter pass phrase for server.key.org: passphrase for server.key.org
writing RSA key

Step 2: Create self-signed certificate [Press Enter]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IT
State or Province Name (full name) []:Italy
Locality Name (eg, city) [Default City]:Florence
Organization Name (eg, company) [Default Company Ltd]:Anthesia Ltd.
Organizational Unit Name (eg, section) []:IT Dep.
Common Name (eg, your name or your server's hostname) []:wazuh.anthesia.lan
Email Address []:<email address here>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Key: /var/ossec/api/configuration/ssl/server.key.
Certificate: /var/ossec/api/configuration/ssl/server.crt

Continue with next section [Press Enter]

Enable user authentication? [Y/n/s]: Y
API user: wazuh_user
New password: wazuh_password
Re-type new password: wazuh_password
Adding password for user wazuh_user.

is the API running behind a proxy server? [y/N/s]:
API not running behind proxy server.

Configuration changed.

Restarting API.

### [Configuration changed] ###

Per verificare che il certificato è installato e le API rispondono in HTTPS, effettuiamo un collegamento di test con curl sulla porta 55000: prima scarichiamo il certificato self-signed che abbiamo generato ed installato:

# echo quit | openssl s_client -showcerts -servername wazuh.anthesia.lan -connect wazuh.anthesia.lan:55000 > cacert.pem
depth=0 C = IT, ST = Italy, L = Florence, O = Anthesia Ltd., OU = IT Dep., CN = wazuh.anthesia.lan, emailAddress = <email address here>
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IT, ST = Italy, L = Florence, O = Anthesia Ltd., OU = IT Dep., CN = wazuh.anthesia.lan, emailAddress = <email address here>
verify return:1
DONE

Successivamente, colleghiamoci in https tramite il certificato scaricato:

# curl --cacert cacert.pem -u wazuh_user:wazuh_password https://wazuh.anthesia.lan:55000
{"error":0,"data":{"msg":"Welcome to Wazuh HIDS API","api_version":"v3.12.3","hostname":"wazuh.anthesia.lan","timestamp":"Thu May 07 2020 10:06:29 GMT-0400 (Eastern Daylight Time)"}}

Avendo modificato la configurazione delle API, dovremo modificare anche la configurazione del plugin di Wazuh in Kibana, inserendo le nuove credenziali e modificando l’URL utilizzando l’HTTPS. Sul server su cui è installato Kibana, editiamo il file /usr/share/kibana/optimize/wazuh/config/wazuh.yml :

hosts:
    - production:
        url: https://192.168.xxx.xxx
        port: 55000
        user: wazuh_user
        password: wazuh_password

Analizziamo brevemente l’interfaccia che Wazuh ci offre su Kibana.

← Wazuh – Un’ estensione di OSSEC

Wazuh – Kibana interface →