Secure agent registration - Help
473 views
Skip to first unread message
Vincent TETREAU
Jul 6, 2022, 4:35:34 PM7/6/22
to Wazuh mailing list
Hello,
I am looking to deploy Wazuh agents by GPO so using the shell script.
How to lock agent registration to my shell script only because if someone knows my public ip address he could register his client without authentication.
I've read the documentation but I'm having trouble understanding the concept of recording agents in a secure way.
Is the solution to do password authentication? A parameter would then be needed to block all other connection modes.
Thank you for your help
Vince
Jose Camargo
Jul 6, 2022, 5:46:40 PM7/6/22
to Wazuh mailing list
Hello Vincent, hope you are doing well
Thank you for using Wazuh!
To enroll agents securely, you have two ways of doing so as explained in this document: https://documentation.wazuh.com/current/user-manual/agent-enrollment/index.html
First, and the recommended way to do it, is the Enrollment via Agent Configuration. You can see how the configuration is done in this document here: https://documentation.wazuh.com/current/user-manual/registering/agent-enrollment.html#registration-using-the-enrollment-method.
In this option, the agent is automatically enrolled after the Wazuh manager IP address has been configured. Enrollment with additional security options involves the use of passwords for enrollment authorization or certificates for identity validation of the agent and manager. Please check this document https://documentation.wazuh.com/current/user-manual/agent-enrollment/security-options/index.html for guidance on enrolling an agent to a manager with additional security options enabled.
The second option is to do the Enrollment via manager API. You can see how it is configured here https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-manager-API/index.html
The Wazuh manager API allows users to make an agent enrollment request to the Wazuh manager. This request returns a unique key for the agent, which must be manually imported to the agent. In the end, this process will have the same result as the one explained before, but again, the first one is recommended as is easier and more understandable.
To enroll agents securely, you have two ways of doing so as explained in this document: https://documentation.wazuh.com/current/user-manual/agent-enrollment/index.html
Agent enrollment allows:
The Wazuh manager to register agents and generate unique keys for them.
The use of the key to encrypt communication between the agent and the manager.
Validation of the identity of the agents communicating with the manager.
You'll have to have outbound connectivity from the Wazuh agent to the Wazuh manager services through the following ports (which are configurable):
1514/TCP for agent communication.
1515/TCP for enrollment via automatic agent request.
55000/TCP for enrollment via manager API.
First, and the recommended way to do it, is the Enrollment via Agent Configuration. You can see how the configuration is done in this document here: https://documentation.wazuh.com/current/user-manual/registering/agent-enrollment.html#registration-using-the-enrollment-method.
In this option, the agent is automatically enrolled after the Wazuh manager IP address has been configured. Enrollment with additional security options involves the use of passwords for enrollment authorization or certificates for identity validation of the agent and manager. Please check this document https://documentation.wazuh.com/current/user-manual/agent-enrollment/security-options/index.html for guidance on enrolling an agent to a manager with additional security options enabled.
The second option is to do the Enrollment via manager API. You can see how it is configured here https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-manager-API/index.html
The Wazuh manager API allows users to make an agent enrollment request to the Wazuh manager. This request returns a unique key for the agent, which must be manually imported to the agent. In the end, this process will have the same result as the one explained before, but again, the first one is recommended as is easier and more understandable.
Once the configuration is done, only agents that have the correct password/certificates can be registered in your environment. This addresses your concerns about security.
Please let us know if this answer was helpful or if any issues arise, we'll be glad to help!
Vincent TETREAU
Jul 8, 2022, 1:53:15 PM7/8/22
to Wazuh mailing list
Thank you very much for this information/confirmation.
I thought that agents without certificates already set up will be refused the connection.
But I understand that once registered the agents no longer use the certificates to connect.
Vince
Rudy Setiawan
Jan 12, 2023, 8:41:48 PM1/12/23
to Wazuh mailing list
Quick question so if I enabled the password for the agent enrollment (the goal is to disable the auto enrollment?), do i need that password if I enrolled via the API using the registration key?
Thank you
Rudy
Rudy
Rudy Setiawan
Jan 12, 2023, 11:49:18 PM1/12/23
to Wazuh mailing list
Ok I tried that so it didnt work :)
So to limit anyone can register to the manager freely, we can do something like this:
So to limit anyone can register to the manager freely, we can do something like this:
1. enable the password authentication ... is like one password for ALL. This is just to make sure that the agent is allowed to connect to the manager.
2. then use the Agent Identity Verification to validate the certificate, if it's not then it will fail.
Thank you :)
Reply all
Reply to author
Forward
0 new messages