Using password authentication

This method requires a password during the enrollment process to ensure that agents enrolled with the Wazuh manager are authenticated.

Below you can find the steps on how to configure password authentication into different endpoint agents:

Prerequisites

Before an agent can be enrolled to the Wazuh manager using the password authentication method, the following must be done on the Wazuh manager:

  1. Enable the password authentication option by adding the configuration highlighted below to the <auth> section of the manager configuration file /var/ossec/etc/ossec.conf.

    <auth>
      <use_password>yes</use_password>
    </auth>
    
  2. Create a password to be used for agent enrollment. This can be achieved in two ways:

    • Recommended - By creating the file /var/ossec/etc/authd.pass on the manager and including your own password there. We recommend this method for creating the agent enrollment password. This can be done by running the line below in the terminal and subsequently restarting the Wazuh manager.

      # echo "<custom_password>" > /var/ossec/etc/authd.pass
      

    Note that you have to replace <custom_password> with your own agent enrollment password.

    File permissions for the authd.pass file should be set to 644 and the owner should be root. The permissions and ownership can be configured by running the commands below:

    # chmod 644 /var/ossec/etc/authd.pass
    # chown root:wazuh /var/ossec/etc/authd.pass
    

    The output below shows the recommended file owner and permissions.

      -rw-r--r-- 1 root wazuh 9 Jan 11 12:50 /var/ossec/etc/authd.pass
    

    After this, restart the Wazuh service for the changes to take effect.

    # systemctl restart wazuh-manager
    
    • By allowing the enrollment service to set a random password. Having added the <use_password>yes</use_password> configuration to the Wazuh manager, proceed to restart the manager.

    # systemctl restart wazuh-manager
    

    This will cause the enrollment service to generate a random password. This password can then be found in /var/ossec/logs/ossec.log. Run the following command to get the agent enrollment password.

    # grep "Random password" /var/ossec/logs/ossec.log
    
      2022/01/11 12:41:35 wazuh-authd: INFO: Accepting connections on port 1515. Random password chosen for agent authentication: 6258b4eb21550e4f182a08c10d94585e
    

Note

In the case where the deployment architecture is using a multi-node cluster, ensure that password authorization is enabled on each manager node. This prevents unauthorized agent enrollment through an unsecured manager node.

Once the above prerequisites are fulfilled, agent enrollment can be done using the steps corresponding to the OS running on endpoints with the agent installed.

Linux/Unix endpoint

The following steps serve as a guide on how to enroll a Linux/Unix endpoint with password authentication:

  1. Launch the terminal as a root user.

  2. Create the file /var/ossec/etc/authd.pass with the enrollment password in it.

    # echo "<custom_password>" > /var/ossec/etc/authd.pass
    
    1. You have to replace <custom_password> with the agents enrollment password created on the manager.

    2. File permissions for the authd.pass file should be set to 644 and the owner should be root. The permissions and ownership can be configured by running the commands below:

      # chmod 644 /var/ossec/etc/authd.pass
      # chown root:wazuh /var/ossec/etc/authd.pass
      

    The output below shows the recommended file owner and permissions.

      -rw-r--r-- 1 root wazuh 18 Jan 11 13:03 /var/ossec/etc/authd.pass
    
  3. Add the Wazuh manager IP address or DNS name in the <client><server><address> section of the manager configuration file /var/ossec/etc/ossec.conf.

      <client>
         <server>
            <address>MANAGER_IP</address>
         ...
         </server>
      </client>
    

    This will allow the agent to send logs to the manager specified.

  4. Restart the agent to make the changes effective.

    # systemctl restart wazuh-agent
    
    # service wazuh-agent restart
    
    # /var/ossec/bin/wazuh-control restart
    
  5. Select the “agents” tab to check for the newly enrolled agent and its connection status in the Wazuh dashboard to confirm that enrollment was successful.

Windows endpoint

The following steps serve as a guide on how to enroll a Windows endpoint with password authentication:

The Wazuh agent installation directory depends on the architecture of the host.

  • C:\Program Files (x86)\ossec-agent for 64-bit systems.

  • C:\Program Files\ossec-agent for 32-bit systems.

  1. Launch PowerShell as an administrator.

  2. Create a file called authd.pass and save the password to it.

    # echo “<custom_password>” > "C:\Program Files (x86)\ossec-agent\authd.pass"
    

    Note that you have to replace <custom_password> with the agents enrollment password created on the manager.

  3. Add the Wazuh manager IP address or DNS name in the <client><server><address> section of C:\Program Files (x86)\ossec-agent\ossec.conf:

      <client>
         <server>
             <address>MANAGER_IP</address>
            ...
         </server>
      </client>
    
  4. Restart the agent to make the changes effective.

    # Restart-Service -Name wazuh
    
    # net stop wazuh
    # net start wazuh
    
  5. Select the “agents” tab to check for the newly enrolled agent and its connection status in the Wazuh dashboard to confirm that enrollment was successful.

macOS endpoint

The following steps serve as a guide on how to enroll a macOS endpoint with password authentication:

  1. Launch the terminal as a root user.

  2. Create a file called /Library/Ossec/etc/authd.pass and save the password to it.

    # echo "<custom_password>" > /Library/Ossec/etc/authd.pass
    
    1. You have to replace <custom_password> with the agents enrollment password created on the manager.

    2. File permissions for the authd.pass file should be set to 644 and the owner should be root. The permissions and ownership can be configured by running the commands below:

      # chmod 644 /Library/Ossec/etc/authd.pass
      # chown root:wazuh /Library/Ossec/etc/authd.pass
      

    The output below shows the recommended file owner and permissions:

     -rw-r--r-- 1 root wazuh 18 Jan 11 13:03 /Library/Ossec/etc/authd.pass
    
  3. Add the Wazuh manager IP address or DNS name in the <client><server><address> section of /Library/Ossec/etc/ossec.conf:

    <client>
      <server>
         <address>MANAGER_IP</address>
         ...
      </server>
    </client>
    

    This will allow the agent to send logs to the specified manager.

  4. Restart the agent to make the changes effective.

    # /Library/Ossec/bin/wazuh-control restart
    
  5. Select the “agents” tab to check for the newly enrolled agent and its connection status in the Wazuh dashboard to confirm that enrollment was successful.