The validation of DNS doesn't support some expected valid values in wazuh_install.sh

[Desvelao]

Wazuh version	Install type	Action performed	Platform
X.Y.Z-rev	Manager/API/Agent	Install/Upgrade/Remove	OS version

The wazuh_install.sh script that installs the unattended Wazuh installation, has a check to validate the DNS. This validation could not pass for some expected valid DNS as: foo.bar1.com.

Related code in the script:

isDNS=$(echo "${!i}" | grep -P "^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z-]{2,})+$" )

This was reported by a community user.

[davidcr01]

Update Report

Research

In https://stackoverflow.com/questions/106179/regular-expression-to-match-dns-hostname-or-ip-address, the following regex is considered one of the best regex to match valid DNS:
^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$

This regex specifies that:

• The string must start with a letter or a number.
• The string can contain letters, numbers, and hyphens.
• The string can contain a maximum of 63 characters.
• The string cannot end with a hyphen.
• The string cannot contain two hyphens in a row.

The following screenshot shows some valid and invalid matches:

Notice that the string foo.bar1.com proposed in the issue is valid for this regex.

The previous regex ^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z-]{2,})+$ shows the following valid and invalid strings:

[davidcr01]

Update Report

After talking with the team, the localhost DNS is not permitted. Because of this, I edited the regex to not allow DNS with just one word.

The regex is the following: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.([A-Za-z]{2,})$

[davidcr01]

Update Report

Testing

Using valid DNS

config.yml:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: www.google.es
    #- name: node-2
    #  ip: <indexer-node-ip>
    #- name: node-3d
    #  ip: <indexer-node-ip>

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: foo.bar1.com

Output:

24/08/2023 09:40:13 DEBUG: Creating the Wazuh indexer certificates.
Ignoring -days without -x509; not generating a certificate
.....+...+..................+.....+.........+.+.....................+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..+....+..+...+......+....+..+....+...+..+...+.+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+.......+...+..+.......+.....+.......+........+.......+...+..+...+.+.....+.+........+...+...+............+....+...+..+.+...+..+.........+..........+...+.....+......+...................+..+................+..+.+..+....+...+..+.+..................+.........+..+...+.+....................+.+...........+...+.+...+.....+.+......+.....+.+.....+.......+...+..+..........+...+...+.....+....+...+.....+.........+......+....+.........+.........+.....+.+...........+.........+.......+.......................+.........+............................+.....+...+.......+..+.+.....+.+.....+..................+.......+...+..+......+...+....+..+......+.............+.........+........+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+...+....+...........+....+......+..+............+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+............+...+.....+.........+...+.+.........+...........+....+...........+.+........+...+...+....+...+........+....+......+..+.......+...+..............+.........+.+......+.....+.......+..................+..+.+.....+......+.+............+......+..+.......+......+..+....+...........+...+.........+...+....+...+...+..+.+......+.....+.+..+..................+...+.+......+...+.....+...................+.....+.......+......+..+.+..+....+......+..............+...+..........+...+..+............+.+.....+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Certificate request self-signature ok
subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = node-1
24/08/2023 09:40:13 DEBUG: Creating the Wazuh server certificates.
Ignoring -days without -x509; not generating a certificate
........+..+..........+..+.+..+....+........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.....+......+.+..+.......+...+.....+.......+........+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+...+..+..........+........+............+..........+..+.+......+...+.....+.+.....+....+.....+...+...+..............................+.+...........+....+......+..............+.+...+.........+...........+....+...+..+......+......+...+.+......+.........+......+.....+.+........+..........+.........+..+.+..+.+.........+............+...+...+...+......+..............+.+..............+.+......+..+..........+..+.+........+......+.+..+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+.......+..+.........+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+.....................+.+............+.....+...+.........+.+........+......+....+..+.............+...............+...........+.........+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+..+...+................+...+...............+.....+.......+......+...+............+.....+.......+...+.....+.......+..+.+...+.........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Certificate request self-signature ok
subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = wazuh-1

Using invalid DNS

config.yml:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: localhost

Output:

24/08/2023 09:44:00 DEBUG: Creating the Wazuh indexer certificates.
24/08/2023 09:44:00 ERROR: Invalid IP or DNS localhost

config.yml:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: localhost.123

Output:

24/08/2023 09:44:00 DEBUG: Creating the Wazuh indexer certificates.
24/08/2023 09:44:00 ERROR: Invalid IP or DNS localhost.123

Using valid IP address

config.yml:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: 127.0.0.1

Output:

24/08/2023 09:45:42 DEBUG: Creating the Wazuh indexer certificates.
Ignoring -days without -x509; not generating a certificate
....+.........+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.........+..............+....+..+......+............+...+.......+...+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.........+...........................+.........+......+.....+......+...+...................+...+.....+...+....+...+..+..................+...+.+...+...+..+...+.......+......+......+......+..+......+......+...................+...........+.+.....+....+...+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+...+.+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+..+............+.+...+...........+....+..+.......+.....+.......+...............+.........+.....+..........+.........+..+.+.....+.........+......+...+.......+..+.+...........+......+............+.+......+......+...+.....+.........+.+.....+.+.....+......+.......+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Certificate request self-signature ok
subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = node-1

Using invalid IP address (public)

config.yml:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: 82.129.80.111

Output:

24/08/2023 09:47:20 INFO: --- Configuration files ---
24/08/2023 09:47:20 INFO: Generating configuration files.
24/08/2023 09:47:20 ERROR: The IP 82.129.80.111 is public.

New bug found

⚠️ In the testing, a new bug was found (4.5.0). It seems that, when using multiple DNS in the Wazuh server (related #1770), if an invalid DNS is specified in the config.yml file, the script does not generate any error, but the certificate is created:

The config.yml file, the server configuration:

server:
    - name: wazuh-1
      ip: www.google.es
      ip: localhost
      ip: wikipedia.org

The certificates are created:

24/08/2023 11:25:37 DEBUG: Creating the Wazuh server certificates.
Ignoring -days without -x509; not generating a certificate
........+......+..................+..+......+....+...+..+....+.........+...+..+...............+...+....+......+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+..............+...+......+....+............+.....+.+...+.....+.........+...+....+...........+....+...+..+.+...............+...+......+...+.....+......+.......+.........+...+.....+......+.......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+...+..........+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+............+..................+.+..+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+...+...............+.+...+..+.+.....+...+......+....+...........+...+.+.....+....+.....+..........+.....+.+.....+......+.+..+.......+...+.....+................+...............+..+....+.....+...+.+..+.......+...+..+............+.+..+.............+..+.+...........+.+.........+.....+....+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Certificate request self-signature ok
subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = wazuh-1

But, if the code is debugged, it seems that the invalid DNS is ignored:

++ server_node_ip_1=("www.google.es" "wikipedia.org")
+ set +x

A new issue has been created to report this problem: #2371