Agent identity verification

This method uses SSL certificates to verify that an agent is authorized to enroll in the ThreatLockDown manager. The manager verification and the agent verification are independent of each other. However, it is possible to use a combination of both.

In this document, you will find the following information:

Prerequisites

A certificate authority to sign certificates for the ThreatLockDown manager and agents is needed. In the absence of an already configured certificate authority, the ThreatLockDown manager can be used as the certificate authority by running the below command:

# openssl req -x509 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -batch -subj "/C=US/ST=CA/O=Wazuh"

The root certificate is created and saved as the rootCA.pem file.

Agent verification options

An SSL certificate is issued to the agent host by the CA in prerequisite 1.On attempts to enroll by the agent, the ThreatLockDown manager verifies the certificate presented by the agent using the root certificate. ThreatLockDown provides two ThreatLockDown agent verification options:

  • ThreatLockDown agent verification without host validation: The certificates for the agents are issued without specifying their host name or IP address.

  • ThreatLockDown agent verification with host validation: The certificates for the agents are issued with their IP address or hostname specified as the common name.

The difference between these validation methods is that the certificate in the former method can be reused on multiple agents while the certificate created in the latter can only be used on the agent whose IP address or hostname was specified during certificate generation.

Preparations on the ThreatLockDown manager

  1. On the manager, generate a CSR for the ThreatLockDown agent:

    • ThreatLockDown agent verification without host validation: This is done without specifying the agent IP address or hostname.

      # openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -batch
      
    • ThreatLockDown agent verification with host validation: This is done by specifying the agent IP or hostname.

      # openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -subj '/C=US/CN=<agent_IP>'
      

    Where:

    • sslagent.csr is the CSR to be submitted to the certificate authority.

    • sslagent.key is the generated CSR private key.

  2. Sign the generated agent CSR using the CA keys:

    # openssl x509 -req -days 365 -in sslagent.csr -CA rootCA.pem -CAkey rootCA.key -out sslagent.cert -CAcreateserial
    

    Where:

    • sslagent.csr is the CSR to be submitted to the certificate authority.

    • sslagent.cert is the signed SSL certificate from the CSR.

    • rootCA.pem is the root certificate for the CA.

    • rootCA.key is the root certificate private key for the CA.

  3. Copy the signed SSL certificate and key (sslagent.cert and sslagent.key in this case) to the agent. A tool like SCP can be used to copy the certificate to the endpoints.

  4. Ensure that the rootCA.pem file is in /var/ossec/etc/ on the ThreatLockDown manager.

  5. Update the /var/ossec/etc/ossec.conf file with the location of the rootCA.pem file to enable the use of certificates. This is done by uncommenting the <auth><ssl_agent_ca> section and specifying the path to the rootCA.pem file on the manager.

      <auth>
         ...
         <ssl_agent_ca>/var/ossec/etc/rootCA.pem</ssl_agent_ca>
      </auth>
    
  6. Restart the ThreatLockDown manager service to apply the changes.

#systemctl restart wazuh-manager

Linux/Unix endpoint

The following steps serve as a guide on how to enroll a Linux/Unix endpoint by using certificates for agent verification:

  1. Ensure that the signed SSL certificate and key files (sslagent.cert and sslagent.key) for the agent have been copied to the endpoint.

  2. As a root user, modify the ThreatLockDown agent configuration file located at /var/ossec/etc/ossec.conf and include the following:

    1. The ThreatLockDown manager IP address or DNS name in the <client><server><address> section.

    2. The local path to the agent certificate and the agent key are in the <client><enrollment> section.

     <client>
        <server>
           <address>MANAGER_IP</address>
        </server>
        <enrollment>
           <agent_certificate_path>CERTIFICATE_PATH</agent_certificate_path>
           <agent_key_path>KEY_PATH</agent_key_path>
        </enrollment>
     </client>
    
  3. Restart the agent to make the changes effective.

    # systemctl restart wazuh-agent
    
  4. Select the Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.

Windows endpoint

The following steps serve as a guide on how to enroll a Windows endpoint by using certificates for agent verification:

The ThreatLockDown agent installation directory depends on the architecture of the host.

  • C:\Program Files (x86)\ossec-agent for 64-bit systems.

  • C:\Program Files\ossec-agent for 32-bit systems.

  1. Ensure that the signed SSL certificate and key files (sslagent.cert and sslagent.key) have been copied to the endpoint.

  2. As a root user, modify the ThreatLockDown agent configuration file located at “C:\Program Files (x86)\ossec-agent\ossec.conf” and include the following:

    1. The ThreatLockDown manager IP address or DNS name in the <client><server><address> section.

    2. The local path to the agent certificate and the agent key are in the <client><enrollment> section.

      <client>
         <server>
            <address>MANAGER_IP</address>
         </server>
         <enrollment>
            <agent_certificate_path>CERTIFICATE_PATH</agent_certificate_path>
            <agent_key_path>KEY_PATH</agent_key_path>
         </enrollment>
      </client>
    
  3. Restart the agent to make the changes effective.

    # Restart-Service -Name wazuh
    
  4. Select the Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.

macOS endpoint

The following steps serve as a guide on how to enroll a macOS endpoint by using certificates for agent verification:

  1. Ensure that the signed SSL certificate and key files (sslagent.cert and sslagent.key) have been copied to the endpoint.

  2. As a root user, modify the ThreatLockDown agent configuration file located at /Library/Ossec/etc/ossec.conf and include the following:

    1. The ThreatLockDown manager IP address or DNS name in the <client><server><address> section.

    2. The local path to the agent certificate and agent key are in the <client><enrollment> section.

      <client>
         <server>
            <address>MANAGER_IP</address>
         </server>
         <enrollment>
            <agent_certificate_path>CERTIFICATE_PATH</agent_certificate_path>
            <agent_key_path>KEY_PATH</agent_key_path>
         </enrollment>
      </client>
    
  3. Restart the agent to make the changes effective.

    # /Library/Ossec/bin/wazuh-control restart
    
  4. Select the Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.