Update cluster template in ossec.conf

[Selutario]

Description

This is the cluster configuration that is created by default in ossec.conf when installing a manager:

<cluster>
 <name>wazuh</name>
 <node_name>node01</node_name>
 <node_type>master</node_type>
 <key>KEY</key>
 <port>1516</port>
 <bind_addr>0.0.0.0</bind_addr>
 <nodes>
    <node>NODE_IP</node>
   </nodes>
 <hidden>no</hidden>
 <disabled>yes</disabled>
</cluster>

As part of #7108, it is intended to ease said configuration and make the cluster run by default. Now, all optional settings should not appear by default in the ossec.conf.

Some options are deleted but others are simply not included. Those should be added by the user, if desired, in case they need a different value than default:

• name: To be removed.
• node_name: Do not include by default.
• disabled: To be removed.
• node_type: Do not change.
• key: To be removed.
• bind_addr: Maybe set 127.0.0.1 as default value.
• nodes: Do not change.
• hidden: Do not change.
• port: Do not change.

Checks

wazuh/wazuh

• Unit tests without failures. Updated and/or expanded if there are new functions/methods/outputs:
  • Cluster (framework/wazuh/core/cluster/tests/ & framework/wazuh/core/cluster/dapi/tests/)
  • Core (framework/wazuh/core/tests/)
  • SDK (framework/wazuh/tests/)
  • RBAC (framework/wazuh/rbac/tests/)
  • API (api/api/tests/)
• API tavern integration tests without failures. Updated and/or expanded if needed (api/test/integration/):
  • Affected tests
  • Affected RBAC (black and white) tests
• Review integration test mapping using the script (api/test/integration/mapping/integration_test_api_endpoints.json)
• Review of spec.yaml examples and schemas (api/api/spec/spec.yaml)
• Review exceptions remediation when any endpoint path changes or is removed (framework/wazuh/core/exception.py)
• Changelog (CHANGELOG.md)

wazuh/wazuh-documentation

• Migration from 3.X for changed endpoints (source/user-manual/api/equivalence.rst)
• Update RBAC reference with new/modified actions/resources/relationships (source/user-manual/api/rbac/reference.rst)

[Selutario]

Status update

Wazuh cluster configuration

I have been testing different alternatives in this issue. This is how the cluster template would look now in new installations:

  <cluster>
    <node_type>master</node_type>
    <bind_addr>127.0.0.1</bind_addr>
    <nodes>
        <node>127.0.0.1</node>
    </nodes>
    <node_name>node01</node_name>
    <port>1516</port>
    <hidden>no</hidden>
  </cluster>

There are, however, multiple things to discuss yet:

• bind_addr used to be 0.0.0.0, but now the Cluster process will always be running (every manager will be a single-node cluster). Therefore, I think that binding the cluster server to localhost by default would make it safer.
  node_name must be different for each node, but the hostname would be used instead when not included. There would be fewer options to change by the user in this case.
• Not sure if port, hidden, and other options that are not required for the configuration, need to be in the template.
• nodes tag is outdated. Until v3.2.2, the users had to write there all the nodes of the cluster (master and workers), but that is not required anymore. However, it could be a breaking change so probably it will remain as is.

Opensearch cluster

I reviewed how OpenSearch deals with the cluster configuration. It turns out we do it in a quite similar way. These are the things required to set up a OpenSearch cluster:

1. Set cluster name.
2. Set node name.
3. Set node roles.
4. Bind ip address.
5. Set to which node/nodes connect.

And this is what users who want to set up a Wazuh cluster will need to change:
Master node:

1. Bind ip address.

Worker nodes:

1. Node type.
2. Set to which node connect.

Node name could be optional (still to be discussed). Other options are not required for it to work.