Unattended installer fails when host is in FIPS mode (EL8)

[bman120]

Wazuh version	Component	Install type	Install method	Platform
4.2.5	Elasticsearch, Filebeat, Kibana	Manager	All-in-one : Unattended	AlmaLinux 8.5

Overview

When using the unattended installer, Wazuh/OpenDistro repo for Elasticsearch packages, installation fails on EL8 hosts with FIPS mode enabled due to OpenDistro requiring old versions of Elasticsearch.

This is a known issue in Elasticsearch as noted in issue 58257 due to Elasticsearch using MD5/SHA1 digests for package versions <7.15.

Due to OpenDistro requiring Elasticsearch OSS 7.10, manually installing Elasticsearch 7.15 is not an option. User must disable digest validation for the Elasticsearch packages in order for unattended installer to complete successfully.

Error Output

Install fails with an error about missing digest such as the following:

Error: Transaction test error:
  package elasticsearch-oss-0:7.10.2-1.x86_64 does not verify: no digest
  package opendistro-alerting-0:1.13.1.0-1.noarch does not verify: no digest
  package opendistro-anomaly-detection-0:1.13.0.0-1.noarch does not verify: no digest
  package opendistro-asynchronous-search-0:1.13.0.1-1.noarch does not verify: no digest
  package opendistro-index-management-0:1.13.2.0-1.noarch does not verify: no digest
  package opendistro-job-scheduler-0:1.13.0.0-1.noarch does not verify: no digest
  package opendistro-performance-analyzer-0:1.13.0.0-1.noarch does not verify: no digest
  package opendistro-reports-scheduler-0:1.13.0.0-1.noarch does not verify: no digest
  package opendistro-security-0:1.13.1.0-1.noarch does not verify: no digest
  package opendistro-sql-0:1.13.2.0-1.noarch does not verify: no digest
  package opendistro-knnlib-1.13.0.0-1.x86_64 does not verify: no digest
  package opendistro-knn-0:1.13.0.0-1.noarch does not verify: no digest
  package opendistroforelasticsearch-0:1.13.2-1.x86_64 does not verify: no digest

Potential Fix

Considering the potential security ramifications of disabling digests during the install, it may be prudent to add an explicit flag (i.e. --nodigestcheck) to the script to enable this option

• Add an option to check if host uses DNF instead of yum (default package manager EL8 hosts):

if [ -n "$(command -v dnf)" ]; then
    sys_type="dnf"
    sep="-"

• Add a check to see if host is running in FIPS mode:

if $(fips-mode-setup --check | grep "enabled" &>/dev/null); then
    fips_mode=1; else
    fips_mode=0
fi

• Add condition to install Wazuh repo for 'sys_type' of DNF:

addWazuhrepo() {
    logger "Adding the Wazuh repository..."

    if [ ${sys_type} == "yum" ] || [ ${sys_type} == "dnf" ]; then
        eval "rpm --import ${repogpg} ${debug}"
        eval "echo -e '[wazuh]\ngpgcheck=1\ngpgkey=${repogpg}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl='${repobaseurl}'/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo ${debug}"

• Add condition during install of Elasticsearch to disable digest checks:

installElasticsearch() {
...
    if [ ${sys_type} == "yum" ]; then
        eval "yum install opendistroforelasticsearch-${OD_VER}-${OD_REV} -y ${debug}"
    elif [ ${sys_type} == "dnf" ] && [ ${fips_mode} == 1 ]; then
        eval "echo "%_pkgverify_level none" >/etc/rpm/macros.verify"
        eval "dnf install -y --setopt=tsflags=nocrypto opendistroforelasticsearch-${OD_VER}-${OD_REV} -y ${debug}"
...
}

• Update filebeat installation to account for no digest check:

installFilebeat() {
...
    if [ ${sys_type} == "dnf" ] && [ ${fips_mode} == 1 ]; then
        eval "dnf install -y --setopt=tsflags=nocrypto filebeat${sep}${ELK_VER} -y -q  ${debug}"
    elif [ ${sys_type} == "zypper" ]; then
        eval "zypper -n install filebeat=${ELK_VER} ${debug}"
    else
        eval "${sys_type} install filebeat${sep}${ELK_VER} -y -q  ${debug}"
    fi
...
}

• Update Kibana installation to account for no digest check:

installKibana() {
...
    if [ ${sys_type} == "dnf" ] && [ ${fips_mode} == 1 ]; then
        eval "dnf install -y --setopt=tsflags=nocrypto opendistroforelasticsearch-kibana${sep}${OD_VER} -y ${debug}"
    elif [ ${sys_type} == "zypper" ]; then
        eval "zypper -n install opendistroforelasticsearch-kibana=${OD_VER} ${debug}"
    else
        eval "${sys_type} install opendistroforelasticsearch-kibana${sep}${OD_VER} -y ${debug}"
    fi
...
}

• Update checkInstalled to account for dnf:

checkInstalled() {

   if [ "${sys_type}" == "yum" ] || [ "${sys_type}" == "dnf" ]; then
       wazuhinstalled=$(yum list installed 2>/dev/null | grep wazuh-manager)
...
   if [ "${sys_type}" == "yum" ] || [ "${sys_type}" == "dnf" ]; then
       elasticinstalled=$(yum list installed 2>/dev/null | grep opendistroforelasticsearch)
...
   if [ "${sys_type}" == "yum" ] || [ "${sys_type}" == "dnf" ]; then
       filebeatinstalled=$(yum list installed 2>/dev/null | grep filebeat)
...
   if [ "${sys_type}" == "yum" ] || [ "${sys_type}" == "dnf" ]; then
       kibanainstalled=$(yum list installed 2>/dev/null | grep opendistroforelasticsearch-kibana)
...
}

• Remove 'macros.verify' after successful installation:

checkInstallation() {
...
    rm -rf /etc/rpm/macros.verify
    logger $'\nInstallation finished'
...
}

• Remove 'macros.verify' after failed installation:

rollBack() {

    if [ -z "${uninstall}" ]; then
        logger -w "Cleaning the installation"
        rm /etc/rpm/macros.verify
    fi

[DFolchA]

Hello,

This is an issue with the Easticsearch, Filebeat, and Kibana packages, Wazuh agent and manager packages have the SHA256 header since version 3.12.0, and can be installed in FIPS mode without problem.

We will fix this problem in future versions of the unattended script.