From 7105791817f74ae8fc89129992b4819eff408732 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Mon, 26 Aug 2024 15:00:19 +0200 Subject: [PATCH 01/18] Migrated offline installation workflow --- .../actions/offline-installation/common.sh | 317 ++++++++++++++++++ .../offline-installation.sh | 21 ++ .github/workflows/offline-installation.yml | 61 ++++ 3 files changed, 399 insertions(+) create mode 100644 .github/actions/offline-installation/common.sh create mode 100644 .github/actions/offline-installation/offline-installation.sh create mode 100644 .github/workflows/offline-installation.yml diff --git a/.github/actions/offline-installation/common.sh b/.github/actions/offline-installation/common.sh new file mode 100644 index 0000000..6330ce2 --- /dev/null +++ b/.github/actions/offline-installation/common.sh @@ -0,0 +1,317 @@ +#!/bin/bash + +function check_package() { + + if [ "${sys_type}" == "deb" ]; then + if ! apt list --installed 2>/dev/null | grep -q "${1}"; then + echo "INFO: The package "${1}" is not installed." + return 1 + fi + elif [ "${sys_type}" == "rpm" ]; then + if ! yum list installed 2>/dev/null | grep -q "${1}"; then + echo "INFO: The package "${1}" is not installed." + return 1 + fi + fi + return 0 + +} + +function check_system() { + + if [ -n "$(command -v yum)" ]; then + sys_type="rpm" + echo "INFO: RPM system detected." + elif [ -n "$(command -v apt-get)" ]; then + sys_type="deb" + echo "INFO: DEB system detected." + else + echo "ERROR: could not detect the system." + exit 1 + fi + +} + +function check_file() { + + if [ ! -f "${1}" ]; then + echo "ERROR: The ${1} file could not be downloaded." + exit 1 + fi + +} + +function check_shards() { + + retries=0 + until [ "$(curl -s -k -u admin:admin "https://127.0.0.1:9200/_template/wazuh?pretty&filter_path=wazuh.settings.index.number_of_shards" | grep "number_of_shards")" ] || [ "${retries}" -eq 5 ]; do + sleep 5 + retries=$((retries+1)) + done + + if [ ${retries} -eq 5 ]; then + echo "ERROR: Could not get the number of shards." + exit 1 + fi + curl -s -k -u admin:admin "https://127.0.0.1:9200/_template/wazuh?pretty&filter_path=wazuh.settings.index.number_of_shards" + echo "INFO: Number of shards detected." + +} + +function dashboard_installation() { + + install_package "wazuh-dashboard" + check_package "wazuh-dashboard" + + echo "INFO: Generating certificates of the Wazuh dashboard..." + NODE_NAME=dashboard + mkdir /etc/wazuh-dashboard/certs + mv -n wazuh-certificates/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem + mv -n wazuh-certificates/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem + cp wazuh-certificates/root-ca.pem /etc/wazuh-dashboard/certs/ + chmod 500 /etc/wazuh-dashboard/certs + chmod 400 /etc/wazuh-dashboard/certs/* + chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs + + if [ "${sys_type}" == "deb" ]; then + enable_start_service "wazuh-dashboard" + elif [ "${sys_type}" == "rpm" ]; then + /usr/share/wazuh-dashboard/bin/opensearch-dashboards "-c /etc/wazuh-dashboard/opensearch_dashboards.yml" --allow-root > /dev/null 2>&1 & + fi + + retries=0 + # In this context, 302 HTTP code refers to SSL certificates warning: success. + until [ "$(curl -k -s -I -w "%{http_code}" https://127.0.0.1 -o /dev/null --fail)" -ne "302" ] || [ "${retries}" -eq 5 ]; do + echo "INFO: Sleeping 10 seconds." + sleep 10 + retries=$((retries+1)) + done + if [ ${retries} -eq 5 ]; then + echo "ERROR: The Wazuh dashboard installation has failed." + exit 1 + else + echo "INFO: The Wazuh dashboard is ready." + fi + +} + +function download_resources() { + + check_file "${ABSOLUTE_PATH}"/wazuh-install.sh + bash "${ABSOLUTE_PATH}"/wazuh-install.sh -dw "${sys_type}" + echo "INFO: Downloading the resources..." + + curl -sO https://packages.wazuh.com/4.3/config.yml + check_file "config.yml" + + sed -i -e '0,// s//127.0.0.1/' config.yml + sed -i -e '0,// s//127.0.0.1/' config.yml + sed -i -e '0,// s//127.0.0.1/' config.yml + + curl -sO https://packages.wazuh.com/4.3/wazuh-certs-tool.sh + check_file "wazuh-certs-tool.sh" + chmod 744 wazuh-certs-tool.sh + ./wazuh-certs-tool.sh --all + + tar xf wazuh-offline.tar.gz + echo "INFO: Download finished." + + if [ ! -d ./wazuh-offline ]; then + echo "ERROR: Could not download the resources." + exit 1 + fi + +} + +function enable_start_service() { + + systemctl daemon-reload + systemctl enable "${1}" + systemctl start "${1}" + + retries=0 + until [ "$(systemctl status "${1}" | grep "active")" ] || [ "${retries}" -eq 3 ]; do + sleep 2 + retries=$((retries+1)) + systemctl start "${1}" + done + + if [ ${retries} -eq 3 ]; then + echo "ERROR: The "${1}" service could not be started." + exit 1 + fi + +} + +function filebeat_installation() { + + install_package "filebeat" + check_package "filebeat" + + cp ./wazuh-offline/wazuh-files/filebeat.yml /etc/filebeat/ &&\ + cp ./wazuh-offline/wazuh-files/wazuh-template.json /etc/filebeat/ &&\ + chmod go+r /etc/filebeat/wazuh-template.json + + sed -i 's|\("index.number_of_shards": \)".*"|\1 "1"|' /etc/filebeat/wazuh-template.json + filebeat keystore create + echo admin | filebeat keystore add username --stdin --force + echo admin | filebeat keystore add password --stdin --force + tar -xzf ./wazuh-offline/wazuh-files/wazuh-filebeat-0.4.tar.gz -C /usr/share/filebeat/module + + echo "INFO: Generating certificates of Filebeat..." + NODE_NAME=wazuh-1 + mkdir /etc/filebeat/certs + mv -n wazuh-certificates/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem + mv -n wazuh-certificates/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem + cp wazuh-certificates/root-ca.pem /etc/filebeat/certs/ + chmod 500 /etc/filebeat/certs + chmod 400 /etc/filebeat/certs/* + chown -R root:root /etc/filebeat/certs + + if [ "${sys_type}" == "deb" ]; then + enable_start_service "filebeat" + elif [ "${sys_type}" == "rpm" ]; then + /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat & + fi + + sleep 10 + check_shards + eval "filebeat test output" + if [ "${PIPESTATUS[0]}" != 0 ]; then + echo "ERROR: The Filebeat installation has failed." + exit 1 + fi + +} + +function indexer_initialize() { + + retries=0 + until [ "$(cat /var/log/wazuh-indexer/wazuh-cluster.log | grep "Node started")" ] || [ "${retries}" -eq 5 ]; do + sleep 5 + retries=$((retries+1)) + done + + if [ ${retries} -eq 5 ]; then + echo "ERROR: The indexer node is not started." + exit 1 + fi + /usr/share/wazuh-indexer/bin/indexer-security-init.sh + +} + +function indexer_installation() { + + if [ "${sys_type}" == "rpm" ]; then + rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH + fi + + install_package "wazuh-indexer" + check_package "wazuh-indexer" + + echo "INFO: Generating certificates of the Wazuh indexer..." + NODE_NAME=node-1 + mkdir /etc/wazuh-indexer/certs + mv -n wazuh-certificates/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem + mv -n wazuh-certificates/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem + mv wazuh-certificates/admin-key.pem /etc/wazuh-indexer/certs/ + mv wazuh-certificates/admin.pem /etc/wazuh-indexer/certs/ + cp wazuh-certificates/root-ca.pem /etc/wazuh-indexer/certs/ + chmod 500 /etc/wazuh-indexer/certs + chmod 400 /etc/wazuh-indexer/certs/* + chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs + + sed -i 's|\(network.host: \)"0.0.0.0"|\1"127.0.0.1"|' /etc/wazuh-indexer/opensearch.yml + + if [ "${sys_type}" == "rpm" ]; then + runuser "wazuh-indexer" --shell="/bin/bash" --command="OPENSEARCH_PATH_CONF=/etc/wazuh-indexer /usr/share/wazuh-indexer/bin/opensearch" > /dev/null 2>&1 & + sleep 5 + elif [ "${sys_type}" == "deb" ]; then + enable_start_service "wazuh-indexer" + fi + + indexer_initialize + sleep 10 + eval "curl -s -XGET https://127.0.0.1:9200 -u admin:admin -k --fail" + if [ "${PIPESTATUS[0]}" != 0 ]; then + echo "ERROR: The Wazuh indexer installation has failed." + exit 1 + fi + +} + +function install_dependencies() { + + if [ "${sys_type}" == "rpm" ]; then + dependencies=( util-linux initscripts openssl ) + not_installed=() + for dep in "${dependencies[@]}"; do + if [ "${dep}" == "openssl" ]; then + if ! yum list installed 2>/dev/null | grep -q "${dep}\.";then + not_installed+=("${dep}") + fi + elif ! yum list installed 2>/dev/null | grep -q "${dep}";then + not_installed+=("${dep}") + fi + done + + if [ "${#not_installed[@]}" -gt 0 ]; then + echo "--- Dependencies ---" + for dep in "${not_installed[@]}"; do + echo "Installing $dep." + eval "yum install ${dep} -y" + if [ "${PIPESTATUS[0]}" != 0 ]; then + echo "ERROR: Cannot install dependency: ${dep}." + exit 1 + fi + done + fi + + elif [ "${sys_type}" == "deb" ]; then + eval "apt-get update -q > /dev/null" + dependencies=( openssl ) + not_installed=() + + for dep in "${dependencies[@]}"; do + if ! apt list --installed 2>/dev/null | grep -q "${dep}"; then + not_installed+=("${dep}") + fi + done + + if [ "${#not_installed[@]}" -gt 0 ]; then + echo "--- Dependencies ----" + for dep in "${not_installed[@]}"; do + echo "Installing $dep." + apt-get install -y "${dep}" + if [ "${install_result}" != 0 ]; then + echo "ERROR: Cannot install dependency: ${dep}." + exit 1 + fi + done + fi + fi + +} + +function install_package() { + + if [ "${sys_type}" == "deb" ]; then + dpkg -i ./wazuh-offline/wazuh-packages/"${1}"*.deb + elif [ "${sys_type}" == "rpm" ]; then + rpm -ivh ./wazuh-offline/wazuh-packages/"${1}"*.rpm + fi + +} + +function manager_installation() { + + install_package "wazuh-manager" + check_package "wazuh-manager" + + if [ "${sys_type}" == "deb" ]; then + enable_start_service "wazuh-manager" + elif [ "${sys_type}" == "rpm" ]; then + /var/ossec/bin/wazuh-control start + fi + +} diff --git a/.github/actions/offline-installation/offline-installation.sh b/.github/actions/offline-installation/offline-installation.sh new file mode 100644 index 0000000..787b20b --- /dev/null +++ b/.github/actions/offline-installation/offline-installation.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# Gets the absolute path of the script, used to load the common.sh file +ABSOLUTE_PATH="$( cd $(dirname ${0}) ; pwd -P )" +. ${ABSOLUTE_PATH}/common.sh + +check_system +install_dependencies +download_resources + +indexer_installation +echo "INFO: Wazuh indexer installation completed." + +manager_installation +echo "INFO: Wazuh manager installation completed." + +filebeat_installation +echo "INFO: Filebeat installation completed." + +dashboard_installation +echo "INFO: Wazuh dashboard installation completed." diff --git a/.github/workflows/offline-installation.yml b/.github/workflows/offline-installation.yml new file mode 100644 index 0000000..5c5bb59 --- /dev/null +++ b/.github/workflows/offline-installation.yml @@ -0,0 +1,61 @@ +name: Offline installation test +on: + pull_request: + paths: + - 'install_functions/wazuh-offline-download.sh' + - 'install_functions/wazuh-offline-installation.sh' + workflow_dispatch: + +jobs: + Build-wazuh-install-script: + runs-on: ubuntu-latest + steps: + - name: Cancel previous runs + uses: fkirc/skip-duplicate-actions@master + with: + cancel_others: 'true' + github_token: ${{ secrets.GITHUB_TOKEN }} + skip_after_successful_duplicate: 'false' + + - uses: actions/checkout@v2 + + - name: Build wazuh-install script and use staging packages + run: bash builder.sh -i -d staging + + - uses: actions/upload-artifact@v3 + with: + name: script + path: ./wazuh-install.sh + if-no-files-found: error + + Test-offline-installation-debian: + runs-on: ubuntu-latest + needs: Build-wazuh-install-script + steps: + - uses: actions/checkout@v2 + + - uses: actions/download-artifact@v3 + with: + name: script + + - name: Move installation assistant script + run: cp $GITHUB_WORKSPACE/wazuh-install.sh $GITHUB_WORKSPACE/.github/actions/offline-installation/wazuh-install.sh + + - name: Run script + run: sudo bash $GITHUB_WORKSPACE/.github/actions/offline-installation/offline-installation.sh + + Test-offline-installation-rpm: + runs-on: ubuntu-latest + needs: Build-wazuh-install-script + steps: + - uses: actions/checkout@v2 + + - uses: actions/download-artifact@v3 + with: + name: script + + - name: Move unattended script + run: cp $GITHUB_WORKSPACE/wazuh-install.sh $GITHUB_WORKSPACE/.github/actions/offline-installation/wazuh-install.sh + + - name: Launch docker and run script + run: sudo docker run -v $GITHUB_WORKSPACE/.github/actions/offline-installation/:/tests centos:centos7 bash /tests/offline-installation.sh From 53a9a0f1d2420c4e86b75b43213e18aa3712002b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Mon, 26 Aug 2024 15:12:00 +0200 Subject: [PATCH 02/18] Migrated passwords tool workflow --- .../passwords-tool/tests-stack-failure.sh | 20 ++++ .../passwords-tool/tests-stack-success.sh | 91 +++++++++++++++++++ .github/workflows/password-tool.yml | 54 +++++++++++ 3 files changed, 165 insertions(+) create mode 100644 .github/actions/passwords-tool/tests-stack-failure.sh create mode 100644 .github/actions/passwords-tool/tests-stack-success.sh create mode 100644 .github/workflows/password-tool.yml diff --git a/.github/actions/passwords-tool/tests-stack-failure.sh b/.github/actions/passwords-tool/tests-stack-failure.sh new file mode 100644 index 0000000..223f989 --- /dev/null +++ b/.github/actions/passwords-tool/tests-stack-failure.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +apiPass="$(cat wazuh-install-files/wazuh-passwords.txt | awk "/username: 'wazuh'/{getline;print;}" | awk '{ print $2 }' | tr -d \' )" +adminPass="$(cat wazuh-install-files/wazuh-passwords.txt | awk "/username: 'admin'/{getline;print;}" | awk '{ print $2 }' | tr -d \')" + +if ! bash wazuh-passwords-tool.sh -u wazuuuh | grep "ERROR"; then + exit 1 +elif ! sudo bash wazuh-passwords-tool.sh -u admin -p password | grep "ERROR"; then + exit 1 +elif ! sudo bash wazuh-passwords-tool.sh -au wazuh -ap "${adminPass}" -u wazuh -p password -A | grep "ERROR"; then + exit 1 +elif ! curl -s -u wazuh:wazuh -k -X POST "https://127.0.0.1:55000/security/user/authenticate" | grep "Invalid credentials"; then + exit 1 +elif ! curl -s -u wazuuh:"${apiPass}" -k -X POST "https://127.0.0.1:55000/security/user/authenticate" | grep "Invalid credentials"; then + exit 1 +elif ! curl -s -XGET https://127.0.0.1:9200/ -u admin:admin -k | grep "Unauthorized"; then + exit 1 +elif ! curl -s -XGET https://127.0.0.1:9200/ -u adminnnn:"${adminPass}" -k | grep "Unauthorized"; then + exit 1 +fi diff --git a/.github/actions/passwords-tool/tests-stack-success.sh b/.github/actions/passwords-tool/tests-stack-success.sh new file mode 100644 index 0000000..0782439 --- /dev/null +++ b/.github/actions/passwords-tool/tests-stack-success.sh @@ -0,0 +1,91 @@ +#!/bin/bash + +users=( admin kibanaserver kibanaro logstash readall snapshotrestore ) +api_users=( wazuh wazuh-wui ) + +echo '::group:: Change indexer password, password providing it.' + +bash wazuh-passwords-tool.sh -u admin -p LN*X1v.VNtCZ5sESEtLfijPAd39LXGAI +if curl -s -XGET https://127.0.0.1:9200/ -u admin:LN*X1v.VNtCZ5sESEtLfijPAd39LXGAI -k -w %{http_code} | grep "401"; then + exit 1 +fi +echo '::endgroup::' + +echo '::group:: Change indexer password without providing it.' + +indx_pass="$(bash wazuh-passwords-tool.sh -u admin | awk '/admin/{ print $NF }' | tr -d \' )" +if curl -s -XGET https://127.0.0.1:9200/ -u admin:"${indx_pass}" -k -w %{http_code} | grep "401"; then + exit 1 +fi + +echo '::endgroup::' + +echo '::group:: Change all passwords except Wazuh API ones.' + +mapfile -t pass < <(bash wazuh-passwords-tool.sh -a | grep 'The password for' | awk '{ print $NF }') +for i in "${!users[@]}"; do + if curl -s -XGET https://127.0.0.1:9200/ -u "${users[i]}":"${pass[i]}" -k -w %{http_code} | grep "401"; then + exit 1 + fi +done + +echo '::endgroup::' + +echo '::group:: Change all passwords.' + +wazuh_pass="$(cat wazuh-install-files/wazuh-passwords.txt | awk "/username: 'wazuh'/{getline;print;}" | awk '{ print $2 }' | tr -d \' )" + +mapfile -t passall < <(bash wazuh-passwords-tool.sh -a -au wazuh -ap "${wazuh_pass}" | grep 'The password for' | awk '{ print $NF }' ) +passindexer=("${passall[@]:0:6}") +passapi=("${passall[@]:(-2)}") + +for i in "${!users[@]}"; do + if curl -s -XGET https://127.0.0.1:9200/ -u "${users[i]}":"${passindexer[i]}" -k -w %{http_code} | grep "401"; then + exit 1 + fi +done + +for i in "${!api_users[@]}"; do + if curl -s -u "${api_users[i]}":"${passapi[i]}" -w "%{http_code}" -k -X POST "https://127.0.0.1:55000/security/user/authenticate" | grep "401"; then + exit 1 + fi +done + +echo '::endgroup::' + +echo '::group:: Change single Wazuh API user.' + +bash wazuh-passwords-tool.sh -au wazuh -ap "${passapi[0]}" -u wazuh -p BkJt92r*ndzN.CkCYWn?d7i5Z7EaUt63 -A + if curl -s -w "%{http_code}" -u wazuh:BkJt92r*ndzN.CkCYWn?d7i5Z7EaUt63 -k -X POST "https://127.0.0.1:55000/security/user/authenticate" | grep "401"; then + exit 1 + fi +echo '::endgroup::' + +echo '::group:: Change all passwords except Wazuh API ones using a file.' + +mapfile -t passfile < <(bash wazuh-passwords-tool.sh -f wazuh-install-files/wazuh-passwords.txt | grep 'The password for' | awk '{ print $NF }' ) +for i in "${!users[@]}"; do + if curl -s -XGET https://127.0.0.1:9200/ -u "${users[i]}":"${passfile[i]}" -k -w %{http_code} | grep "401"; then + exit 1 + fi +done +echo '::endgroup::' + +echo '::group:: Change all passwords from a file.' +mapfile -t passallf < <(bash wazuh-passwords-tool.sh -f wazuh-install-files/wazuh-passwords.txt -au wazuh -ap BkJt92r*ndzN.CkCYWn?d7i5Z7EaUt63 | grep 'The password for' | awk '{ print $NF }' ) +passindexerf=("${passallf[@]:0:6}") +passapif=("${passallf[@]:(-2)}") + +for i in "${!users[@]}"; do + if curl -s -XGET https://127.0.0.1:9200/ -u "${users[i]}":"${passindexerf[i]}" -k -w %{http_code} | grep "401"; then + exit 1 + fi +done + +for i in "${!api_users[@]}"; do + if curl -s -u "${api_users[i]}":"${passapif[i]}" -w "%{http_code}" -k -X POST "https://127.0.0.1:55000/security/user/authenticate" | grep "401"; then + exit 1 + fi +done + +echo '::endgroup::' diff --git a/.github/workflows/password-tool.yml b/.github/workflows/password-tool.yml new file mode 100644 index 0000000..46ac552 --- /dev/null +++ b/.github/workflows/password-tool.yml @@ -0,0 +1,54 @@ +on: + pull_request: + paths: + - 'passwords_tool/**' + +jobs: + Build-password-tool-and-wazuh-install-scripts: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Build password-tool and wazuh-install scripts + run: | + bash builder.sh -p + bash builder.sh -i -d staging + shell: bash + - uses: actions/upload-artifact@v3 + with: + name: scripts + path: | + ./wazuh-install.sh + ./wazuh-passwords-tool.sh + if-no-files-found: error + + test-password-tool-success: + runs-on: ubuntu-latest + needs: Build-password-tool-and-wazuh-install-scripts + steps: + - uses: actions/checkout@v4 + - uses: actions/download-artifact@v3 + with: + name: scripts + - name: Install wazuh + run: | + sudo bash wazuh-install.sh -a -v + - name: Uncompress wazuh install files + run: sudo tar -xvf wazuh-install-files.tar + - name: Run script + run: sudo bash .github/actions/passwords-tool/tests-stack-success.sh + + test-password-tool-failure: + runs-on: ubuntu-latest + needs: Build-password-tool-and-wazuh-install-scripts + steps: + - uses: actions/checkout@v2 + - uses: actions/download-artifact@v3 + with: + name: scripts + - name: Install wazuh + run: | + sudo bash wazuh-install.sh -a -v + - name: Uncompress wazuh install files + run: sudo tar -xvf wazuh-install-files.tar + - name: Run script + run: sudo bash .github/actions/passwords-tool/tests-stack-failure.sh From 6d735485a11d5bb1952f8b53ea4687a3d6944ad7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 27 Aug 2024 09:18:22 +0200 Subject: [PATCH 03/18] Updated checkout action version --- .github/workflows/offline-installation.yml | 6 +++--- .github/workflows/password-tool.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/offline-installation.yml b/.github/workflows/offline-installation.yml index 5c5bb59..4cf5974 100644 --- a/.github/workflows/offline-installation.yml +++ b/.github/workflows/offline-installation.yml @@ -17,7 +17,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} skip_after_successful_duplicate: 'false' - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Build wazuh-install script and use staging packages run: bash builder.sh -i -d staging @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest needs: Build-wazuh-install-script steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - uses: actions/download-artifact@v3 with: @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest needs: Build-wazuh-install-script steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - uses: actions/download-artifact@v3 with: diff --git a/.github/workflows/password-tool.yml b/.github/workflows/password-tool.yml index 46ac552..9584fc0 100644 --- a/.github/workflows/password-tool.yml +++ b/.github/workflows/password-tool.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest needs: Build-password-tool-and-wazuh-install-scripts steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - uses: actions/download-artifact@v3 with: name: scripts From b8b3345f9ed3c1647fa0dfc12619a2ec6fa831d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 27 Aug 2024 09:19:50 +0200 Subject: [PATCH 04/18] Updated major version in offline workflow --- .github/actions/offline-installation/common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/offline-installation/common.sh b/.github/actions/offline-installation/common.sh index 6330ce2..1adc952 100644 --- a/.github/actions/offline-installation/common.sh +++ b/.github/actions/offline-installation/common.sh @@ -101,14 +101,14 @@ function download_resources() { bash "${ABSOLUTE_PATH}"/wazuh-install.sh -dw "${sys_type}" echo "INFO: Downloading the resources..." - curl -sO https://packages.wazuh.com/4.3/config.yml + curl -sO https://packages.wazuh.com/4.10/config.yml check_file "config.yml" sed -i -e '0,// s//127.0.0.1/' config.yml sed -i -e '0,// s//127.0.0.1/' config.yml sed -i -e '0,// s//127.0.0.1/' config.yml - curl -sO https://packages.wazuh.com/4.3/wazuh-certs-tool.sh + curl -sO https://packages.wazuh.com/4.10/wazuh-certs-tool.sh check_file "wazuh-certs-tool.sh" chmod 744 wazuh-certs-tool.sh ./wazuh-certs-tool.sh --all From f7a0bc10f6107c7c020e5bbc26ca73390b528727 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Tue, 27 Aug 2024 09:37:44 +0200 Subject: [PATCH 05/18] Changed unattended reference in offline worklfow --- .github/workflows/offline-installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/offline-installation.yml b/.github/workflows/offline-installation.yml index 4cf5974..1d31ec4 100644 --- a/.github/workflows/offline-installation.yml +++ b/.github/workflows/offline-installation.yml @@ -54,7 +54,7 @@ jobs: with: name: script - - name: Move unattended script + - name: Move installation assistant script run: cp $GITHUB_WORKSPACE/wazuh-install.sh $GITHUB_WORKSPACE/.github/actions/offline-installation/wazuh-install.sh - name: Launch docker and run script From 7bbdee7d6d3496dee8ed30f6cf2a5e5cba1e3dc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Anguita=20L=C3=B3pez?= Date: Thu, 29 Aug 2024 10:43:45 +0200 Subject: [PATCH 06/18] add gitignore file and certain files to ignore --- .gitignore | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e042663 --- /dev/null +++ b/.gitignore @@ -0,0 +1,14 @@ +wazuh-install.sh +wazuh-passwords-tool.sh +wazuh-certs-tool.sh +*.pem +*.ova +*.ovf +*.deb +*.rpm +*.zip +*.tar.gz +*.pkg +*.msi +*.log +*.key \ No newline at end of file From 8573c5e6530e7c6554876e4571b59620ca97e221 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Anguita=20L=C3=B3pez?= Date: Thu, 29 Aug 2024 14:45:38 +0200 Subject: [PATCH 07/18] added wazuh-install and wazuh-offline file --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index e042663..86ec8cf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,10 @@ wazuh-install.sh wazuh-passwords-tool.sh wazuh-certs-tool.sh +config.yml +wazuh-install-files.tar +wazuh-install-files/ +wazuh-offline.tar.gz *.pem *.ova *.ovf From 0e97090e587283ba23b07895572c8dd75bec978b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Anguita=20L=C3=B3pez?= Date: Thu, 29 Aug 2024 14:53:54 +0200 Subject: [PATCH 08/18] add wazuh-offline directory --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 86ec8cf..4fb53cf 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ config.yml wazuh-install-files.tar wazuh-install-files/ wazuh-offline.tar.gz +wazuh-offline/ *.pem *.ova *.ovf From c63e0b6d7c88231e1cd30e3231d5da3f26b0e56d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Fri, 30 Aug 2024 13:06:18 +0200 Subject: [PATCH 09/18] Added not empty token variable check --- install_functions/manager.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/install_functions/manager.sh b/install_functions/manager.sh index 862f76b..0d83620 100644 --- a/install_functions/manager.sh +++ b/install_functions/manager.sh @@ -45,6 +45,24 @@ function manager_startCluster() { function manager_checkService() { common_logger "Checking Wazuh API connection" eval "TOKEN=$(curl -k -s -X POST -u "wazuh-wui:wazuh-wui" https://127.0.0.1:55000/security/user/authenticate/run_as?raw=true -d '{"user_name":"wzread"}' -H "content-type:application/json")" + + max_attempts=5 + attempt=0 + seconds=3 + + while [[ -z "${TOKEN}" && "${attempt}" -lt "${max_attempts}" ]]; do + attempt=$((attempt+1)) + common_logger "Attempt $attempt: Trying to get Wazuh API token" + sleep "${seconds}" + TOKEN=$(curl -k -s -X POST -u "wazuh-wui:wazuh-wui" https://127.0.0.1:55000/security/user/authenticate/run_as?raw=true -d '{"user_name":"wzread"}' -H "content-type:application/json") + done + + if [[ -z "${TOKEN}" ]]; then + common_logger -e "Failed to obtain Wazuh API token after $max_attempts attempts." + installCommon_rollBack + exit 1 + fi + wm_error=$(curl -k -s -X GET "https://127.0.0.1:55000/agents/outdated?pretty=true" -H "Authorization: Bearer ${TOKEN}") if [[ ${wm_error,,} =~ '"error": 0' ]]; then From 4886372567876f0bb2ceb927cc20a25ef172bb2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Fri, 30 Aug 2024 13:10:54 +0200 Subject: [PATCH 10/18] Updated CHANGELOG for #45 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85e2091..7fe0fd6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file. ### Fixed - Fixed Wazuh API validation ([#29](https://github.com/wazuh/wazuh-installation-assistant/pull/29)) +- Fixed token variable empty in Wazuh manager check ([#45](https://github.com/wazuh/wazuh-installation-assistant/pull/45)) ## [4.9.1] From 5dc4d73be1a9f647a06105e661221f54ca049205 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Fri, 30 Aug 2024 14:01:29 +0200 Subject: [PATCH 11/18] Stored token curl command in a variable --- install_functions/manager.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/install_functions/manager.sh b/install_functions/manager.sh index 0d83620..edc7bd5 100644 --- a/install_functions/manager.sh +++ b/install_functions/manager.sh @@ -44,7 +44,8 @@ function manager_startCluster() { function manager_checkService() { common_logger "Checking Wazuh API connection" - eval "TOKEN=$(curl -k -s -X POST -u "wazuh-wui:wazuh-wui" https://127.0.0.1:55000/security/user/authenticate/run_as?raw=true -d '{"user_name":"wzread"}' -H "content-type:application/json")" + token_command="curl -k -s -X POST -u \"wazuh-wui:wazuh-wui\" https://127.0.0.1:55000/security/user/authenticate/run_as?raw=true -d '{\"user_name\":\"wzread\"}' -H \"content-type:application/json\"" + TOKEN=$(eval "${token_command}") max_attempts=5 attempt=0 @@ -54,7 +55,7 @@ function manager_checkService() { attempt=$((attempt+1)) common_logger "Attempt $attempt: Trying to get Wazuh API token" sleep "${seconds}" - TOKEN=$(curl -k -s -X POST -u "wazuh-wui:wazuh-wui" https://127.0.0.1:55000/security/user/authenticate/run_as?raw=true -d '{"user_name":"wzread"}' -H "content-type:application/json") + TOKEN=$(eval "${token_command}") done if [[ -z "${TOKEN}" ]]; then From d89b91c9eb34be50e76dd1ea913ff460fb447354 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Wed, 11 Sep 2024 14:23:40 +0200 Subject: [PATCH 12/18] Fixed manager check in distributed deployment --- install_functions/manager.sh | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/install_functions/manager.sh b/install_functions/manager.sh index edc7bd5..6c7c429 100644 --- a/install_functions/manager.sh +++ b/install_functions/manager.sh @@ -44,12 +44,20 @@ function manager_startCluster() { function manager_checkService() { common_logger "Checking Wazuh API connection" - token_command="curl -k -s -X POST -u \"wazuh-wui:wazuh-wui\" https://127.0.0.1:55000/security/user/authenticate/run_as?raw=true -d '{\"user_name\":\"wzread\"}' -H \"content-type:application/json\"" + api_password="wazuh-wui" + token_command="curl -k -s -X POST -u \"wazuh-wui:${api_password}\" https://127.0.0.1:55000/security/user/authenticate/run_as?raw=true -d '{\"user_name\":\"wzread\"}' -H \"content-type:application/json\"" TOKEN=$(eval "${token_command}") - - max_attempts=5 + + # Change curl credentials in case the master node has changed the passwords + if [[ "${TOKEN}" =~ "Invalid credentials" && "${server_node_types[pos]}" == "worker" ]]; then + api_password=$(tar -axf "${tar_file}" wazuh-install-files/wazuh-passwords.txt -O | grep -P "'wazuh-wui'" -A 1 | awk 'NR==2 { print $2 }' | sed "s/'//g") + token_command="curl -k -s -X POST -u \"wazuh-wui:${api_password}\" https://127.0.0.1:55000/security/user/authenticate/run_as?raw=true -d '{\"user_name\":\"wzread\"}' -H \"content-type:application/json\"" + TOKEN=$(eval "${token_command}") + fi + + max_attempts=15 attempt=0 - seconds=3 + seconds=5 while [[ -z "${TOKEN}" && "${attempt}" -lt "${max_attempts}" ]]; do attempt=$((attempt+1)) From e41f764c92ea615687dfd353673546ebef1eef6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Wed, 11 Sep 2024 15:34:00 +0200 Subject: [PATCH 13/18] Updated CHANGELOG for #52 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7fe0fd6..baab317 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file. - Fixed Wazuh API validation ([#29](https://github.com/wazuh/wazuh-installation-assistant/pull/29)) - Fixed token variable empty in Wazuh manager check ([#45](https://github.com/wazuh/wazuh-installation-assistant/pull/45)) +- Fixed manager check in distributed deploymentn ([#52](https://github.com/wazuh/wazuh-installation-assistant/pull/52)) ## [4.9.1] From 49e096deabb245985e4c9d6c03136e37552f7f6e Mon Sep 17 00:00:00 2001 From: Enrique Araque Date: Wed, 11 Sep 2024 18:25:36 +0200 Subject: [PATCH 14/18] Fix bug when changing the Filebeat URL --- builder.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/builder.sh b/builder.sh index f007604..632a546 100755 --- a/builder.sh +++ b/builder.sh @@ -86,6 +86,7 @@ function buildInstaller() { echo 'readonly repository="4.x"' >> "${output_script_path}" fi echo >> "${output_script_path}" + checkFilebeatURL grep -Ev '^#|^\s*$' ${resources_common}/commonVariables.sh >> "${output_script_path}" grep -Ev '^#|^\s*$' ${resources_installer}/installVariables.sh >> "${output_script_path}" echo >> "${output_script_path}" @@ -132,9 +133,6 @@ function buildInstaller() { ## Main function and call to it echo >> "${output_script_path}" echo "main \"\$@\"" >> "${output_script_path}" - - checkFilebeatURL - } function buildPasswordsTool() { @@ -309,7 +307,10 @@ function checkDistDetectURL() { function checkFilebeatURL() { # Import variables - eval "$(grep -E "filebeat_wazuh_template=" "${resources_installer}/installVariables.sh")" + eval "$(grep -E "wazuh_version=" "${resources_installer}/installVariables.sh")" + eval "$(grep -E "source_branch=" "${resources_installer}/installVariables.sh" | sed 's/source_branch=/install_variables_source_branch=/')" + eval "$(grep -E "filebeat_wazuh_template=" "${resources_installer}/installVariables.sh" | sed "s/\${source_branch}/$install_variables_source_branch/")" + new_filebeat_url="https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/7.x/wazuh-template.json" # Get the response of the URL and check it From 4f42cc17739ae7baeb58239609a7032f489f0b47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Correa=20Rodr=C3=ADguez?= Date: Thu, 12 Sep 2024 08:58:59 +0200 Subject: [PATCH 15/18] Fixed typo in CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index baab317..e9edcd2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ All notable changes to this project will be documented in this file. - Fixed Wazuh API validation ([#29](https://github.com/wazuh/wazuh-installation-assistant/pull/29)) - Fixed token variable empty in Wazuh manager check ([#45](https://github.com/wazuh/wazuh-installation-assistant/pull/45)) -- Fixed manager check in distributed deploymentn ([#52](https://github.com/wazuh/wazuh-installation-assistant/pull/52)) +- Fixed manager check in distributed deployment ([#52](https://github.com/wazuh/wazuh-installation-assistant/pull/52)) ## [4.9.1] From 0f7bb3a1cf85d943b1914983c7561ca52a2684da Mon Sep 17 00:00:00 2001 From: Enrique Araque Date: Thu, 12 Sep 2024 11:10:38 +0200 Subject: [PATCH 16/18] Add builder condition to use tag when testing a pre-release --- builder.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/builder.sh b/builder.sh index f007604..c5ba5e1 100755 --- a/builder.sh +++ b/builder.sh @@ -16,7 +16,7 @@ readonly resources_certs="${base_path_builder}/cert_tool" readonly resources_passwords="${base_path_builder}/passwords_tool" readonly resources_common="${base_path_builder}/common_functions" readonly resources_download="${base_path_builder}/downloader" -source_branch="4.10.0" +source_branch="v4.10.0" function getHelp() { @@ -48,8 +48,6 @@ function getHelp() { function buildInstaller() { - checkDistDetectURL - output_script_path="${base_path_builder}/wazuh-install.sh" ## Create installer script @@ -76,7 +74,10 @@ function buildInstaller() { echo 'readonly filebeat_wazuh_module="${repobaseurl}/filebeat/wazuh-filebeat-0.4.tar.gz"' >> "${output_script_path}" echo 'readonly bucket="packages-dev.wazuh.com"' >> "${output_script_path}" echo 'readonly repository="'"${devrepo}"'"' >> "${output_script_path}" - sed -i 's|v${wazuh_version}|${wazuh_version}|g' "${resources_installer}/installVariables.sh" + if [[ ! $(grep -E "source_branch=" "${resources_installer}/installVariables.sh" | sed -E 's/.*source_branch="([^"]+)"/\1/') =~ "-" ]]; then + sed -i 's|v${wazuh_version}|${wazuh_version}|g' "${resources_installer}/installVariables.sh" + pre_release_tag=1 + fi else echo 'readonly repogpg="https://packages.wazuh.com/key/GPG-KEY-WAZUH"' >> "${output_script_path}" echo 'readonly repobaseurl="https://packages.wazuh.com/4.x"' >> "${output_script_path}" @@ -116,6 +117,7 @@ function buildInstaller() { done ## dist-detect.sh + checkDistDetectURL echo "function dist_detect() {" >> "${output_script_path}" curl -s "https://raw.githubusercontent.com/wazuh/wazuh/${source_branch}/src/init/dist-detect.sh" | sed '/^#/d' >> "${output_script_path}" echo "}" >> "${output_script_path}" @@ -267,7 +269,7 @@ function builder_main() { if [ -n "${change_filebeat_url}" ]; then sed -i -E "s|(https.+)master(.+wazuh-template.json)|\1\\$\\{source_branch\\}\2|" "${resources_installer}/installVariables.sh" fi - if [ -n "${development}" ]; then + if [[ -n "${development}" && -n "${pre_release_tag}" ]]; then sed -i 's|${wazuh_version}|v${wazuh_version}|g' "${resources_installer}/installVariables.sh" fi fi @@ -286,7 +288,6 @@ function builder_main() { function checkDistDetectURL() { urls=("https://raw.githubusercontent.com/wazuh/wazuh/${source_branch}/src/init/dist-detect.sh" - "https://raw.githubusercontent.com/wazuh/wazuh/v${source_branch}/src/init/dist-detect.sh" "https://raw.githubusercontent.com/wazuh/wazuh/master/src/init/dist-detect.sh") for url in "${urls[@]}"; do From 996e6c9dccdcc1548274fa77ef7f77b40933a627 Mon Sep 17 00:00:00 2001 From: Enrique Araque Date: Fri, 13 Sep 2024 16:27:32 +0200 Subject: [PATCH 17/18] Update SECURITY.md file --- SECURITY.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 100f730..4c99eec 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,19 +11,15 @@ This policy applies to all open source projects developed, maintained, or hosted ## Reporting Security Vulnerabilities If you believe you've discovered a potential security vulnerability in one of our open source projects, we strongly encourage you to report it to us responsibly. -Please submit your findings as [security advisories](https://github.com/wazuh/wazuh-installation-assistant/security/advisories) under the "Security" tab in the relevant GitHub repository. Alternatively, you may send the details of your findings to security@wazuh.com. +Please submit your findings as security advisories under the "Security" tab in the relevant GitHub repository. Alternatively, you may send the details of your findings to [security@wazuh.com](mailto:security@wazuh.com). ## Vulnerability Disclosure Policy Upon receiving a report of a potential vulnerability, our team will initiate an investigation. If the reported issue is confirmed as a vulnerability, we will take the following steps: 1. Acknowledgment: We will acknowledge the receipt of your vulnerability report and begin our investigation. - 2. Validation: We will validate the issue and work on reproducing it in our environment. - 3. Remediation: We will work on a fix and thoroughly test it - 4. Release & Disclosure: After 90 days from the discovery of the vulnerability, or as soon as a fix is ready and thoroughly tested (whichever comes first), we will release a security update for the affected project. We will also publicly disclose the vulnerability by publishing a CVE (Common Vulnerabilities and Exposures) and acknowledging the discovering party. - 5. Exceptions: In order to preserve the security of the Wazuh community at large, we might extend the disclosure period to allow users to patch their deployments. This 90-day period allows for end-users to update their systems and minimizes the risk of widespread exploitation of the vulnerability. @@ -46,4 +42,4 @@ We ask that all users and contributors respect this policy and the security of o ## Changes to this Security Policy This policy may be revised from time to time. Each version of the policy will be identified at the top of the page by its effective date. -If you have any questions about this Security Policy, please contact us at security@wazuh.com +If you have any questions about this Security Policy, please contact us at [security@wazuh.com](mailto:security@wazuh.com) \ No newline at end of file From 010fc2da25b6ec591cf4fd5ca28cc526ed9048a4 Mon Sep 17 00:00:00 2001 From: Enrique Araque Date: Tue, 17 Sep 2024 10:10:50 +0200 Subject: [PATCH 18/18] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9edcd2..29bbe89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file. ### Changed - Added post-install validations for the Wazuh manager and Filebeat. ([#3059](https://github.com/wazuh/wazuh-packages/pull/3059)) +- Update SECURITY.md file. ([#59](https://github.com/wazuh/wazuh-installation-assistant/pull/59)) ### Fixed