Update wazuh.rst to better explain how to use TLS #1105
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MoteHue
reviewed
Jun 21, 2024
MoteHue
requested changes
Jun 26, 2024
Include the need to ``export KAYOBE_VAULT_PASSWORD`` before running the wazuh secrets playbook and state that wazuh-secrets.yml are encrypted post templating.
|
@MaxBed4d let's go through this together next week and update the wording a bit so we can get this merged |
Alex-Welsh
requested changes
Nov 8, 2024
| @@ -11,8 +11,8 @@ The short version | |||
| ``etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager``, in | |||
| particular the defaults assume that the ``provision_oc_net`` network will be | |||
| used. | |||
| #. Ensure to export vault password: ``export KAYOBE_VAULT_PASSWORD={ansible_vault_password}`` | |||
There was a problem hiding this comment.
Suggested change
| #. Ensure to export vault password: ``export KAYOBE_VAULT_PASSWORD={ansible_vault_password}`` | |
| #. Export the Ansible vault password e.g. : ``export KAYOBE_VAULT_PASSWORD=$(cat path/to/vault/password/file)`` |
| @@ -241,16 +241,17 @@ Wazuh secrets playbook is located in ``etc/kayobe/ansible/wazuh-secrets.yml``. | |||
| Running this playbook will generate and put pertinent security items into secrets | |||
| vault file which will be placed in ``$KAYOBE_CONFIG_PATH/wazuh-secrets.yml``. | |||
| If using environments it ends up in ``$KAYOBE_CONFIG_PATH/environments/<env_name>/wazuh-secrets.yml`` | |||
| Remember to encrypt! | |||
| The secrets will be encrypted after templating and so requires that ``KAYOBE_VAULT_PASSWORD`` is set and exported before running the playbook! | |||
There was a problem hiding this comment.
Suggested change
| The secrets will be encrypted after templating and so requires that ``KAYOBE_VAULT_PASSWORD`` is set and exported before running the playbook! | |
| The secrets will be encrypted after templating. Ensure that ``KAYOBE_VAULT_PASSWORD`` is set and exported before running the playbook! |
|
|
||
|
|
||
| .. code-block:: console | ||
|
|
||
| kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-secrets.yml | ||
| ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/wazuh-secrets.yml | ||
|
|
||
| To view ``wazuh-secrets.yml`` simply ``ansible-vault view --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/wazuh-secrets.yml`` |
There was a problem hiding this comment.
Suggested change
| To view ``wazuh-secrets.yml`` simply ``ansible-vault view --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/wazuh-secrets.yml`` | |
| To view ``wazuh-secrets.yml``: | |
| ..code-block:: console | |
| ansible-vault view --vault-password-file path/to/vault/password/file $KAYOBE_CONFIG_PATH/wazuh-secrets.yml | |
Comment on lines
+322
to
+324
| In order to use externally generated certificates, you must first deploy Wazuh Ansible as normal in order to generate the base certificates. | ||
| This is because Wazuh will require to deploy with some sort of certificates, as well as, not every Wazuh service needing a custom external certificate; | ||
| for example the ``root`` and ``admin`` certificates. Therefore the ``<...>/wazuh/wazuh-certificates`` directory must be created and populated by ``wazuh-cert-tool.sh``, which it won't do if the ``<...>/wazuh/wazuh-certificates`` directory already exists. |
There was a problem hiding this comment.
While the existing text is correct, the "why" section makes it much more confusing.
Suggested change
| In order to use externally generated certificates, you must first deploy Wazuh Ansible as normal in order to generate the base certificates. | |
| This is because Wazuh will require to deploy with some sort of certificates, as well as, not every Wazuh service needing a custom external certificate; | |
| for example the ``root`` and ``admin`` certificates. Therefore the ``<...>/wazuh/wazuh-certificates`` directory must be created and populated by ``wazuh-cert-tool.sh``, which it won't do if the ``<...>/wazuh/wazuh-certificates`` directory already exists. | |
| To use externally generated certificates, you must first deploy Wazuh Ansible as normal to generate the base certificates. The custom certificates can then be added to this bundle. |
Comment on lines
+326
to
+330
| Once the Wazuh generated certificates have been made, the desired custom external certificates need to be added in. | ||
| To do so, must ``SSH`` into the ``infra VM`` which Wazuh services have been deployed to and, with ``sudo`` privileges, | ||
| remove any of the 'base' certificates from ``/etc/wazuh-{dashboard | indexer}/certs/`` which are being replaced with custom ones. | ||
| After this, return to the ``seed`` VM and drop the custom new ``pem`` certificates into ``$KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/`` if using a kayobe environment, or ``$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificates/`` if not. | ||
| Finally, rerun the Wazuh Ansible playbook and now the custom certificates should be copied over to their respective directories in the ``infra VM``. |
There was a problem hiding this comment.
Some changes here to wording, just to make it a bit clearer and more generic (e.g. not all wazuh-managers are infra VMs)
Suggested change
| Once the Wazuh generated certificates have been made, the desired custom external certificates need to be added in. | |
| To do so, must ``SSH`` into the ``infra VM`` which Wazuh services have been deployed to and, with ``sudo`` privileges, | |
| remove any of the 'base' certificates from ``/etc/wazuh-{dashboard | indexer}/certs/`` which are being replaced with custom ones. | |
| After this, return to the ``seed`` VM and drop the custom new ``pem`` certificates into ``$KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/`` if using a kayobe environment, or ``$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificates/`` if not. | |
| Finally, rerun the Wazuh Ansible playbook and now the custom certificates should be copied over to their respective directories in the ``infra VM``. | |
| Once the Wazuh generated certificates have been made, the custom external certificates need to be added in. To do so, ssh into the Wazuh Manager and remove any of the 'base' certificates from ``/etc/wazuh-{dashboard | indexer}/certs/`` which are being replaced with custom ones. | |
| Return to the ``seed`` and drop the custom ``pem`` certificates into ``$KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/`` if using a kayobe environment, or ``$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificates/`` if not. | |
| Finally, rerun the Wazuh Ansible playbook to deploy the custom certificates. |
| After this, return to the ``seed`` VM and drop the custom new ``pem`` certificates into ``$KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/`` if using a kayobe environment, or ``$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificates/`` if not. | ||
| Finally, rerun the Wazuh Ansible playbook and now the custom certificates should be copied over to their respective directories in the ``infra VM``. | ||
|
|
||
| Following this, the ``sudo systemctl status`` for the three Wazuh services should be checked to make sure they are up and running with no errors. Additionally, testing ``sudo filebeat test output`` and trying to ``curl`` the service's IP will also signify if the certificates are working correctly. |
There was a problem hiding this comment.
Suggested change
| Following this, the ``sudo systemctl status`` for the three Wazuh services should be checked to make sure they are up and running with no errors. Additionally, testing ``sudo filebeat test output`` and trying to ``curl`` the service's IP will also signify if the certificates are working correctly. | |
| Ensure the systemd units for the three Wazuh services are healthy. Additionally, testing ``sudo filebeat test output`` and trying to ``curl`` the service's IP will also signify if the certificates are working correctly. |
Comment on lines
+341
to
+360
| .. note:: | ||
|
|
||
| If you find that your Wazuh playbook isn't generating some of the non custom 'base' certificates, | ||
| such as the ``indexer`` or ``dashboard`` certificates, it is likely that those services aren't being | ||
| templated correctly into the ``wazuh-cert-tool.sh`` which then creates the certificates. | ||
| Therefore it is likely that a variable in ``$KAYOBE_CONFIG_PATH/inventory/group_vars/wazuh-manager/wazuh-manager`` | ||
| is not matching the corresponding variable used to template ``wazuh-cert-tool.sh``. | ||
|
|
||
| Below is the template for generating ``wazuh-cert-tool.sh``; make sure all the ``"{{ variables }}"`` have been defined: | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| instances: | ||
| wazuh: | ||
| name: "{{ inventory_hostname }}" | ||
| ip: "{{ wazuh_manager_ip }}" | ||
| role: indexer | ||
|
|
||
| Where ``role`` defines the service which ``wazuh-cert-tool.sh`` will create a certificate for. | ||
| This should be defined in ``$KAYOBE_CONFIG_PATH/environments/<environment>/inventory/group_vars/wazuh-manager/wazuh-manager.yml``. |
There was a problem hiding this comment.
I can't work out what this is saying
Alex-Welsh
added
documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.