You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the unattended installer, Wazuh/OpenDistro repo for Elasticsearch packages, installation fails on EL8 hosts with FIPS mode enabled due to OpenDistro requiring old versions of Elasticsearch.
This is a known issue in Elasticsearch as noted in issue 58257 due to Elasticsearch using MD5/SHA1 digests for package versions <7.15.
Due to OpenDistro requiring Elasticsearch OSS 7.10, manually installing Elasticsearch 7.15 is not an option. User must disable digest validation for the Elasticsearch packages in order for unattended installer to complete successfully.
Error Output
Install fails with an error about missing digest such as the following:
Error: Transaction test error:
package elasticsearch-oss-0:7.10.2-1.x86_64 does not verify: no digest
package opendistro-alerting-0:1.13.1.0-1.noarch does not verify: no digest
package opendistro-anomaly-detection-0:1.13.0.0-1.noarch does not verify: no digest
package opendistro-asynchronous-search-0:1.13.0.1-1.noarch does not verify: no digest
package opendistro-index-management-0:1.13.2.0-1.noarch does not verify: no digest
package opendistro-job-scheduler-0:1.13.0.0-1.noarch does not verify: no digest
package opendistro-performance-analyzer-0:1.13.0.0-1.noarch does not verify: no digest
package opendistro-reports-scheduler-0:1.13.0.0-1.noarch does not verify: no digest
package opendistro-security-0:1.13.1.0-1.noarch does not verify: no digest
package opendistro-sql-0:1.13.2.0-1.noarch does not verify: no digest
package opendistro-knnlib-1.13.0.0-1.x86_64 does not verify: no digest
package opendistro-knn-0:1.13.0.0-1.noarch does not verify: no digest
package opendistroforelasticsearch-0:1.13.2-1.x86_64 does not verify: no digest
Potential Fix
Considering the potential security ramifications of disabling digests during the install, it may be prudent to add an explicit flag (i.e. --nodigestcheck) to the script to enable this option
Add an option to check if host uses DNF instead of yum (default package manager EL8 hosts):
if [ -n"$(command -v dnf)" ];then
sys_type="dnf"
sep="-"
Add a check to see if host is running in FIPS mode:
if$(fips-mode-setup --check | grep "enabled"&>/dev/null);then
fips_mode=1;else
fips_mode=0
fi
Add condition to install Wazuh repo for 'sys_type' of DNF:
This is an issue with the Easticsearch, Filebeat, and Kibana packages, Wazuh agent and manager packages have the SHA256 header since version 3.12.0, and can be installed in FIPS mode without problem.
We will fix this problem in future versions of the unattended script.
Overview
When using the unattended installer, Wazuh/OpenDistro repo for Elasticsearch packages, installation fails on EL8 hosts with FIPS mode enabled due to OpenDistro requiring old versions of Elasticsearch.
This is a known issue in Elasticsearch as noted in issue 58257 due to Elasticsearch using MD5/SHA1 digests for package versions <7.15.
Due to OpenDistro requiring Elasticsearch OSS 7.10, manually installing Elasticsearch 7.15 is not an option. User must disable digest validation for the Elasticsearch packages in order for unattended installer to complete successfully.
Error Output
Install fails with an error about missing digest such as the following:
Error: Transaction test error: package elasticsearch-oss-0:7.10.2-1.x86_64 does not verify: no digest package opendistro-alerting-0:1.13.1.0-1.noarch does not verify: no digest package opendistro-anomaly-detection-0:1.13.0.0-1.noarch does not verify: no digest package opendistro-asynchronous-search-0:1.13.0.1-1.noarch does not verify: no digest package opendistro-index-management-0:1.13.2.0-1.noarch does not verify: no digest package opendistro-job-scheduler-0:1.13.0.0-1.noarch does not verify: no digest package opendistro-performance-analyzer-0:1.13.0.0-1.noarch does not verify: no digest package opendistro-reports-scheduler-0:1.13.0.0-1.noarch does not verify: no digest package opendistro-security-0:1.13.1.0-1.noarch does not verify: no digest package opendistro-sql-0:1.13.2.0-1.noarch does not verify: no digest package opendistro-knnlib-1.13.0.0-1.x86_64 does not verify: no digest package opendistro-knn-0:1.13.0.0-1.noarch does not verify: no digest package opendistroforelasticsearch-0:1.13.2-1.x86_64 does not verify: no digest
Potential Fix
The text was updated successfully, but these errors were encountered: