[Agent Registration - Diagram explaining Simple Registration] Update

[Vu Van Than]

Hello Team, 

Please be allow me to ask a question here. I recently read about "Register all agents using different methods" I have been researching to find the MOST cost-effective solution that requires the LEAST amount of operational management? I have a little bit lucky when I see Diagram explaining simple Registration on a previous topic/. Allow me to copy it again here. 

A ClientHello: This is the beginning, we're talking to a server so we can start the TLS process.

M ServerHello: The server responding back to acknowledge we're talking in TLS now.

M Certificate: This is a copy of the certificate that is installed on the server.

M ServerKeyExchange: This is part of the protocol used to allow both devices to arrive at the same symmetric key to use after the TLS handshake

M CertificateRequest: Only used if the server wants to verify the client with a certificate. This can be conveyed as a form of authentication.

M ServerHelloDone: The server is done with it's part of the TLS handshake.

A Certificate: Only provided if needed; see CertificateRequest above.

A ClientKeyExchange: This is the companion to ServerKeyExchange to make sure both sides have a symmetric key.

A CertificateVerify: Part of CertificateRequest and Client-Side TLS.

A ChangeCipherSpec: This is usually the indication that we're done with everything and were' ready to start talking with encryption.

A Finished: This is the end of the client side.

M ChangeCipherSpec: The server is agreeing to the cipherspec.

M Finished: It's all done and we're fully encrypted now.

At this time when it's done we will see the files on both Agent Side/Manager Side

Every Wazuh agent sends data to the Wazuh manager via a secure way called OSSEC message protocol. This protocol encrypts messages using a pre-shared key. In a fresh install, if you didn’t register and configure your agent during the installation time, the agent can’t communicate with the manager due to the lack of this pre-shared key.

The registration process consists of a mechanism to create a trusted relationship between the Manager and an Agent. This process could be done in a Manager itself or with a registration service. This service runs on the Manager, where an Agent could request a pre-shared key using some credentials. The Manager will reply with the key and store the new Agent in a local database.

Another approach is using the Wazuh API, this is just a wrapper for local registration on Wazuh manager.

1 - [Question] I think it's method simples to Agent Registration. Is this correct? We only are careful about the trusted network which will permit Agent Registration with the Manager Side

2 - [Question] I don't know where we will modify client key on a server/insert more trust network/Do we have to need restart Manager Side? please help me clarify.

Regards,

[Miguel Casares]

Hello Vuvant,

Since Wazuh 4.0, by default, the agent registers automatically with the manager through enrollment. Configuration details can be found in Enrollment section.

There is no need to request a key using an external CLI because the agents can now request the key autonomously. When an agent has a manager IP defined on its ossec.conf it will automatically request the key to the manager if does not have a valid key at startup.

The auto-enrollment functionality also allows the agent to request a new key in case of losing the connection with the manager. If this happens, the agent will check if the manager IP is defined in the ossec.conf and if it is, it will request a new key by default every 10 seconds up to 5 consecutive times. Both the number of request attempts and the frequency these keys are requested can be customized on the ossec.conf.

The agent enrollment can still be done using the agent-auth, but with the auto-enrollment, there is no need to request the key. It is worth mentioning that all the agents from previous versions are still 100 % compatible with the 4.x version.

Having said so, the simplest method is using the agent enrollment plus deployment variables. With only one step, you can deploy and register your agent.

Reference:

- https://wazuh.com/blog/wazuh-4-0-released/

- https://documentation.wazuh.com/4.0/installation-guide/wazuh-agent/deployment_variables/deployment_variables.html#deployment-variables

Let us know if you have further questions.

Regards,

Miguel Casares

[jeremias...@wazuh.com]

Hello @vuvanthancnc,
Thank you for using Wazuh!

The diagram that you share it's a good reference for the registration process.
Basically: Wazuh manager and Wazuh agent communicate with each other by encrypting every message with shared keys to protect sensitive system data collected by the agent.
In order to do so, the agent requests the key to its manager, which is known as the registration process. This registration process can be done without protection, protected by a password, or protected by certificates. 

Regarding your questions:

1) Yes, letting the agent request the key to the manager is the best approach because editing the keys manually it's harder to automate. 
I want to highlight something really important here: Since Wazuh 4.0, we introduced a new feature named Enrollment. It is basically an automation of the registration process.
With this new feature (that is enabled by default), once an agent has already configured the manager IP address it is able to be started, automatically will detect the need for a key, and will request it to the configured manager. In a similar way, if the communication with the manager gets lost (i.e.: if the manager loses the agent key), the agent will also request a new key.
To reduce even more the number of operations, you can install every Wazuh Agent as deployment. Doing so, the manager IP can be set during the installation, and you only have to start the agent and they will request the new key on their own.
After the key is successfully requested, you should see a similar log like this on the agent side:

I want to add that every possible configuration of the registration process can be set on the <enrollment> section of the agent ossec.conf file. You can read more about it here.
The easiest registration process is without extra security check (the default one) trusting on the network access of each agent, but, if you want to protect the registration process, the safest way is using certificates (link), and the enrollment feature allows you to configure every possible setup just writing the enrollment block. 

2) The keys are reloaded every time an agent requests a new one, but, if the file is edited manually, Agent and Manager should be restarted to see the changes.

Please let me know if this helps you. If you have further doubts or if you need any help please let me know.
Best regards.

[Vu Van Than]

Hi Jermias, 

It's clearly to me right now, thank you for your help

Regards,

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/mrv86AtO4IQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/371fbed3-bdaa-4b6e-9d57-933dcede5e7bn%40googlegroups.com.

[jeremias...@wazuh.com]

Glad to hear that!
Again, thank you for using Wazuh. And if you have further doubts don't hesitate to ask.
Best Regards.