Merge pull request #54 from jordanopensource/fix/wazuh-manager-certs

Fix Wazuh manager certs

charts/wazuh/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "4.8.1"
+appVersion: "4.8.2"

charts/wazuh/configs/wazuh_conf/master.conf

@@ -103,84 +103,25 @@
     <processes>yes</processes>
   </wodle>
 
-  <vulnerability-detector>
-    <enabled>no</enabled>
-    <interval>5m</interval>
-    <min_full_scan_interval>6h</min_full_scan_interval>
-    <run_on_start>yes</run_on_start>
-
-    <!-- Ubuntu OS vulnerabilities -->
-    <provider name="canonical">
-      <enabled>no</enabled>
-      <os>trusty</os>
-      <os>xenial</os>
-      <os>bionic</os>
-      <os>focal</os>
-      <os>jammy</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Debian OS vulnerabilities -->
-    <provider name="debian">
-      <enabled>no</enabled>
-      <os>buster</os>
-      <os>bullseye</os>
-      <os>bookworm</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- RedHat OS vulnerabilities -->
-    <provider name="redhat">
-      <enabled>no</enabled>
-      <os>5</os>
-      <os>6</os>
-      <os>7</os>
-      <os>8</os>
-      <os>9</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Amazon Linux OS vulnerabilities -->
-    <provider name="alas">
-      <enabled>no</enabled>
-      <os>amazon-linux</os>
-      <os>amazon-linux-2</os>
-      <os>amazon-linux-2023</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- SUSE Linux Enterprise OS vulnerabilities -->
-    <provider name="suse">
-      <enabled>no</enabled>
-      <os>11-server</os>
-      <os>11-desktop</os>
-      <os>12-server</os>
-      <os>12-desktop</os>
-      <os>15-server</os>
-      <os>15-desktop</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Arch OS vulnerabilities -->
-    <provider name="arch">
-      <enabled>no</enabled>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Windows OS vulnerabilities -->
-    <provider name="msu">
-      <enabled>yes</enabled>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Aggregate vulnerabilities -->
-    <provider name="nvd">
-      <enabled>yes</enabled>
-      <update_from_year>2010</update_from_year>
-      <update_interval>1h</update_interval>
-    </provider>
-
-  </vulnerability-detector>
+  <vulnerability-detection>
+    <enabled>yes</enabled>
+    <index-status>yes</index-status>
+    <feed-update-interval>60m</feed-update-interval>
+  </vulnerability-detection>
+
+  <indexer>
+    <enabled>yes</enabled>
+    <hosts>
+      <host>https://wazuh-indexer:9200</host>
+    </hosts>
+    <ssl>
+      <certificate_authorities>
+        <ca>/etc/ssl/root-ca.pem</ca>
+      </certificate_authorities>
+      <certificate>/etc/ssl/filebeat.pem</certificate>
+      <key>/etc/ssl/filebeat.key</key>
+    </ssl>
+  </indexer>
 
   <!-- File integrity monitoring -->
   <syscheck>
@@ -389,13 +330,4 @@
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/syslog</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/dpkg.log</location>
-  </localfile>
-</ossec_config>
+</ossec_config>

charts/wazuh/configs/wazuh_conf/worker.conf

@@ -103,84 +103,25 @@
     <processes>yes</processes>
   </wodle>
 
-  <vulnerability-detector>
-    <enabled>no</enabled>
-    <interval>5m</interval>
-    <min_full_scan_interval>6h</min_full_scan_interval>
-    <run_on_start>yes</run_on_start>
-
-    <!-- Ubuntu OS vulnerabilities -->
-    <provider name="canonical">
-      <enabled>no</enabled>
-      <os>trusty</os>
-      <os>xenial</os>
-      <os>bionic</os>
-      <os>focal</os>
-      <os>jammy</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Debian OS vulnerabilities -->
-    <provider name="debian">
-      <enabled>no</enabled>
-      <os>buster</os>
-      <os>bullseye</os>
-      <os>bookworm</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- RedHat OS vulnerabilities -->
-    <provider name="redhat">
-      <enabled>no</enabled>
-      <os>5</os>
-      <os>6</os>
-      <os>7</os>
-      <os>8</os>
-      <os>9</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Amazon Linux OS vulnerabilities -->
-    <provider name="alas">
-      <enabled>no</enabled>
-      <os>amazon-linux</os>
-      <os>amazon-linux-2</os>
-      <os>amazon-linux-2023</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- SUSE Linux Enterprise OS vulnerabilities -->
-    <provider name="suse">
-      <enabled>no</enabled>
-      <os>11-server</os>
-      <os>11-desktop</os>
-      <os>12-server</os>
-      <os>12-desktop</os>
-      <os>15-server</os>
-      <os>15-desktop</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Arch OS vulnerabilities -->
-    <provider name="arch">
-      <enabled>no</enabled>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Windows OS vulnerabilities -->
-    <provider name="msu">
-      <enabled>yes</enabled>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Aggregate vulnerabilities -->
-    <provider name="nvd">
-      <enabled>yes</enabled>
-      <update_from_year>2010</update_from_year>
-      <update_interval>1h</update_interval>
-    </provider>
-
-  </vulnerability-detector>
+  <vulnerability-detection>
+    <enabled>yes</enabled>
+    <index-status>yes</index-status>
+    <feed-update-interval>60m</feed-update-interval>
+  </vulnerability-detection>
+
+  <indexer>
+    <enabled>yes</enabled>
+    <hosts>
+      <host>https://wazuh-indexer:9200</host>
+    </hosts>
+    <ssl>
+      <certificate_authorities>
+        <ca>/etc/ssl/root-ca.pem</ca>
+      </certificate_authorities>
+      <certificate>/etc/ssl/filebeat.pem</certificate>
+      <key>/etc/ssl/filebeat.key</key>
+    </ssl>
+  </indexer>
 
   <!-- File integrity monitoring -->
   <syscheck>
@@ -359,7 +300,7 @@
       <after_registration_time>1h</after_registration_time>
     </force>
     <purge>no</purge>
-    <use_password>no</use_password>
+    <use_password>yes</use_password>
     <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
     <!-- <ssl_agent_ca></ssl_agent_ca> -->
     <ssl_verify_host>no</ssl_verify_host>
@@ -389,13 +330,4 @@
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/syslog</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/dpkg.log</location>
-  </localfile>
-</ossec_config>
+</ossec_config>

charts/wazuh/templates/dashboard/dashboard-certificate.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.tls.enabled .Values.tls.certManager.enabled }}
+{{- if .Values.tls.certManager.enabled }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

charts/wazuh/templates/dashboard/dashboard-deployment.yaml

@@ -93,7 +93,7 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
       volumes:
-        {{- if and .Values.tls.enabled .Values.tls.certManager.enabled }}
+        {{- if .Values.tls.certManager.enabled }}
         - name: dashboard-certs
           projected:
             sources:
@@ -109,7 +109,7 @@ spec:
                     path: cert.pem
                   - key: tls.key
                     path: key.pem
-        {{- else if and .Values.tls.enabled (not (eq .Values.tls.secretName "")) }}
+        {{- else if .Values.tls.secretName }}
         - name: dashboard-certs
           secret:
             secretName: {{ .Values.tls.secretName }}

charts/wazuh/templates/indexer/admin-certificate.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.tls.enabled .Values.tls.certManager.enabled}}
+{{- if .Values.tls.certManager.enabled}}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

charts/wazuh/templates/indexer/indexer-sts.yaml

@@ -127,7 +127,7 @@ spec:
               {{- toYaml . | nindent 12 }}
             {{- end }}
       volumes:
-        {{- if and .Values.tls.enabled .Values.tls.certManager.enabled }}
+        {{- if .Values.tls.certManager.enabled }}
         - name: indexer-certs
           projected:
             sources:
@@ -157,7 +157,7 @@ spec:
                     path: filebeat.pem
                   - key: tls.key
                     path: filebeat-key.pem
-        {{- else if and .Values.tls.enabled (not (eq .Values.tls.secretName "")) }}
+        {{- else if .Values.tls.secretName }}
         - name: indexer-certs
           secret:
             secretName: {{ .Values.tls.secretName }}
@@ -214,4 +214,4 @@ spec:
         resources:
           requests:
             storage: {{ .Values.indexer.storage.size }}
-  {{- end }}
+  {{- end }}

charts/wazuh/templates/indexer/node-certificate.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.tls.enabled .Values.tls.certManager.enabled }}
+{{- if .Values.tls.certManager.enabled }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

charts/wazuh/templates/manager/filebeat-certificate.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.tls.enabled .Values.tls.certManager.enabled}}
+{{- if .Values.tls.certManager.enabled}}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

charts/wazuh/templates/manager/manager-certificate.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.tls.certManager.enabled}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "manager-tls"
+spec:
+  secretName: "manager-tls"
+  issuerRef:
+    name: {{ .Values.tls.certManager.issuer.name }}
+    kind: {{ .Values.tls.certManager.issuer.kind }}
+  commonName: {{ .Values.tls.certManager.commonName }}
+  duration: {{ .Values.tls.certManager.duration }}
+  renewBefore: {{ .Values.tls.certManager.renewBefore }}
+  dnsNames:
+    {{- range .Values.tls.certManager.dnsNames }}
+    - {{ . }}
+    {{- end }}
+{{- end }}