Manager identity verification

This method uses SSL certificates to verify the identity of the ThreatLockDown manager before an agent sends the enrollment request. The manager verification and the agent verification are independent of each other. However, it is possible to use a combination of both.

In this document, you will find the following information:

Prerequisites

A certificate authority to sign certificates for the ThreatLockDown manager and agents is needed. In the absence of an already configured certificate authority, the ThreatLockDown manager can be used as the certificate authority by running the below command:

# openssl req -x509 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -batch -subj "/C=US/ST=CA/O=Wazuh"

The root certificate is created and saved as the rootCA.pem file.

Manager identity validation

Here the ThreatLockDown manager has issued an SSL certificate using the certificate authority. Then, during enrollment, the agent verifies the ThreatLockDown manager certificate using the root certificate of the CA.

Manager configuration

  1. Generate an SSL certificate on the ThreatLockDown manager signed by the certificate authority. The steps to generate an SSL certificate for the manager are as follows:

    1. Create a certificate request configuration file req.conf on the manager. Replace <manager_IP> with the hostname or the IP address of the ThreatLockDown manager where the ThreatLockDown agents are going to be enrolled. The contents of the file can be as follows:

            [req]
            distinguished_name = req_distinguished_name
            req_extensions = req_ext
            prompt = no
            [req_distinguished_name]
            C = US
            CN = <manager_IP>
            [req_ext]
            subjectAltName = @alt_names
            [alt_names]
            DNS.1 = wazuh
            DNS.2 = wazuh.com
      

      Where:

      • C is the country where the organization making this request is domiciled.

      • CN is the common name on the certificate. This should be the ThreatLockDown manager IP address or its DNS name. This field is not optional. In this case, the ThreatLockDown manager DNS are ThreatLockDown and wazuh.com.

      • subjectAltName is optional and specifies the alternate subject names that can be used for the server. Note that to allow the enrollment of the ThreatLockDown agents with a SAN certificate, this should be included.

    2. Create a certificate signing request (CSR) on the ThreatLockDown manager with the following command:

      # openssl req -new -nodes -newkey rsa:4096 -keyout sslmanager.key -out sslmanager.csr -config req.conf
      

      Where:

      • req.conf is the certificate request configuration file.

      • sslmanager.key is the private key for the certificate request.

      • sslmanager.csr is the CSR to be submitted to the certificate authority.

    3. Issue and sign the certificate for the manager CSR with the following command:

      # openssl x509 -req -days 365 -in sslmanager.csr -CA rootCA.pem -CAkey rootCA.key -out sslmanager.cert -CAcreateserial -extfile req.conf -extensions req_ext
      

      Where:

      • req.conf is the certificate request configuration file.

      • sslmanager.csr is the CSR to be submitted to the certificate authority.

      • sslmanager.cert is the signed SSL certificate from the CSR.

      • rootCA.pem is the root certificate for the CA.

      • The -extfile and -extensions options are required to copy the subject and the extensions from sslmanager.csr to sslmanager.cert.

    4. Copy the newly signed certificate and key files to /var/ossec/etc on the ThreatLockDown manager:

      # cp sslmanager.cert sslmanager.key /var/ossec/etc
      
    5. Restart the ThreatLockDown manager to apply the changes made.

      # systemctl restart wazuh-manager
      

Linux/Unix endpoint

The following steps serve as a guide on how to enroll a Linux/Unix endpoint by using certificates to verify the manager identity:

  1. Ensure that the root certificate authority rootCA.pem file has been copied to the endpoint.

  2. As a root user, modify the ThreatLockDown agent configuration file located at /var/ossec/etc/ossec.conf and include the following:

    1. ThreatLockDown manager IP address or DNS name in the <client><server><address> section.

    2. Local path to root certificate in the <client><enrollment> section.

     <client>
        <server>
           <address>MANAGER_IP</address>
           ...
        </server>
           ...
           <enrollment>
              <server_ca_path>/path/to/rootCA.pem</server_ca_path>
              ...
           </enrollment>
           ...
     </client>
    
  3. Restart the agent to make the changes effective.

    # systemctl restart wazuh-agent
    
  4. Select the Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.

Windows endpoint

The following steps serve as a guide on how to enroll a Windows endpoint by using certificates to verify the manager identity:

The ThreatLockDown agent installation directory depends on the architecture of the host.

  • C:\Program Files (x86)\ossec-agent for 64-bit systems.

  • C:\Program Files\ossec-agent for 32-bit systems.

  1. Ensure that the root certificate authority rootCA.pem file has been copied to the endpoint.

  2. As a root user, modify the ThreatLockDown agent configuration file located at “C:\Program Files (x86)\ossec-agent\ossec.conf” and include the following:

    1. ThreatLockDown manager IP address or DNS name in the <client><server><address> section.

    2. Local path to root certificate in the <client><enrollment><server_ca_path> section.

     <client>
        <server>
           <address>MANAGER_IP</address>
           ...
        </server>
           ...
           <enrollment>
              <server_ca_path>/path/to/rootCA.pem</server_ca_path>
              ...
           </enrollment>
           ...
     </client>
    
  3. Restart the agent to make the changes effective.

    # Restart-Service -Name wazuh
    
  4. Select the Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.

macOS endpoint

The following steps serve as a guide on how to enroll a macOS endpoint by using certificates to verify the manager identity:

  1. Ensure that the root certificate authority rootCA.pem file has been copied to the endpoint.

  2. As a root user, modify the ThreatLockDown agent configuration file located at /Library/Ossec/etc/ossec.conf and include the following:

    1. ThreatLockDown manager IP address or DNS name in the <client><server><address> section.

    2. Local path to root certificate in the <client><enrollment> section.

    <client>
       <server>
          <address>MANAGER_IP</address>
          ...
       </server>
          ...
          <enrollment>
             <server_ca_path>/path/to/rootCA.pem</server_ca_path>
             ...
          </enrollment>
          ...
    </client>
    
  3. Restart the agent to make the changes effective.

    # /Library/Ossec/bin/wazuh-control restart
    
  4. Select the Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.