add working agent_auth to windows #181
Conversation
|
Cool. People have been asking for this quite a bit. It even passed the build tests. 👍 |
|
You the man! Thanks for your efforts. I wish I hadn't spent that time last week on the psexec script to parse/copy windows agent keys. :) I'm looking forward to trying this. I assume I can just compile this and use it with 2.7 right? |
|
Yes, it should work. |
|
Sorry I have not gotten to review this yet. Looks good and makes use of the native SSL on windows. Code make sense and it works. Was going to just merge it but I am worried about having to merge the work going on here and the work going on at #166 code: https://github.com/mweigel/ossec-hids/tree/authd_certificate_verify . With both codes moving the same code we need to get some conversation going. So please chat guys what is the right way? One takes down the native SSL support on windows the other takes us more down the OpenSSL Path. |
|
Making use of native SSL functionality where available makes a lot of sense. Let Microsoft deal with SSL maintenance and issues. My .02 |
|
@mstarks01 agree, but that means more code and more dev time and features need to be implemented twice. @mweigel @gaelmuller do you have any input, suggestions, ideas, hate for ssl, or ....... :) |
|
Definitely advantages and disadvantages either way. Having separate clients does give people the flexibility to use solutions most appropriate for the given platform but at the cost of extra code. I don't know which is the right solution here but I don't think there would be too much of an issue merging my changes with the new client code here as they seem to be quite independent of each other (sorry if I've missed something). I've made only small changes to ossec-authd currently and the default behaviour (no client verification) hasn't changed so I don't think there would be any issues interacting with this client but it would definitely need testing, which I'm happy to help with if needed. I most likely won't make any further changes to authd right now either as I don't want to change too much at once although I'm still keen on future enhancements. Thanks guys. |
|
I agree with @mweigel, there should be no problem merging both his changes and mine. I chose to use native SSL support because I wanted the OSSEC agent to remain without external dependency (plus, use of openssl on Windows in not common). |
|
I am testing ossec in our environment and one of the main issues we are running into is auto auth of clients. We have thousands of devices that will be connecting to ossec. The addition of agent-auth code to Windows clients is exactly what I am looking for! I am a security analyst, and don't have a ton of experience with coding per say. How can I incorporate this code into the ossec client windows binary? Thank You for your help! |
|
This feature would have saved me several hours over the past few days. Would really be great to see it merged in. |
|
The third parameter to OS_ConnectTCP() should be dropped. |
|
What is the status of this PR? |
|
@ozonni IIRC, the changes in this PR don't work with the current tree. I think I had some changes that would enable this feature for the win32 port, but I don't remember the status. |
|
For anyone interested in building just the agent-auth.exe from the win-auth branch, you can just install a VM with CentOS6 or 7 and do the following (Other packages might be required, I did this on a CentOS6 with most development tools pre-installed):
This should produce a working agent-auth.exe, without the dependency on specific directories or anything. Tested it, and you can run the tool stand-alone from anywhere, just copy the client.keys file to the ossec installation directory afterwards and it should be fine. This might not be an option for everyone, but since we are re-packaging the OSSEC-agent in an MSI in my organization anyway, this turned out to be quite a nice solution for us. As @gaelmuller says, also remember that this version of the agent-auth.exe does not support any kind of authentication. |
|
Is this code ever going to be merged in? I found this from a comment on Server Fault. I want to automate the installation of OSSEC clients on Windows machines and it seems I need this agent-auth executable in order to do that. Alternatively, does anyone have an already compiled copy they could share? |
|
Also, I should mention that I tried following MagnusMWW's instructions (note that you have to add asterisks where Github added italics), and was able to compile the agent-auth.exe file, but when I run it, it just spits out this message: "This version of agent-auth.exe is not compatible with the version of Windows you're running. Check your computer's system information and the contact the software publisher." |
|
Unfortunately it requires time and energy. Both are in short supply, On Sep 9, 2016 2:38 PM, "soapergem" notifications@github.com wrote:
|
|
@soapergem; Are you possibly trying to run the 64-bit binary that the instructions i posted will build on a 32-bit Windows system? You can adjust the process to instead build a 32-bit binary by substituting: btw, I'm updating my reply above to use code markdown instead of the simple ">", to avoid those stars being stripped out and confusing anyone else. Good catch! |
|
Hi guys, I have being testing everything and works fine on 2.8.3, but it does not on ossec-hids/master. Use development branch and run:
The installer ossec-win32-agent.exe generated is located on src/win32 folder. Many thanks to @gaelmuller, @MagnusMWW and everyone here. |
|
I got agent_auth.exe to compile, but it doesn't appear to do anything. Unfortunately I don't know how to do much debugging in windows, so any help would be appreciated. |
|
@ddpbsd: That's strange... What system did you try to run it on? I only have a Windows 7 Pro (x86_64) systems accessible to test on, but both the 32-bit and the 64-bit build works for me on those systems. Afraid that I'm not that seasoned in Windows application debugging myself either, sorry. If you'd like, you could try my builds and see if they work diffrently (they shouldn't really, but maybe worth a try?). ftp://kalasarn.se/pub/temp/agent-auth-x86.exe When running, i just have to use these options when invoking: |
|
@MagnusMWW I tried downloading the files you posted on your FTP site, but the file transfers consistently fail. If it's not too much trouble, can you either check on that, or share them a different way? Thanks so much. |
|
I uploaded a working agent-auth.exe, tested on Win10, Win7 and Win 2012 R2. http://52.51.47.120:8000/agent-auth.exe |
|
@soapergem i see that @snaow beat me to it, but I've fixed the files now as well. Wrong permissions... ;) |
|
Just trying to help @MagnusMWW :D btw we also included "-P" option for using ossec-authd password protected wazuh/wazuh@6c7326d Still everything on development! WIP! PS: I am using the agent-auth.exe daily and it works really good, you don't know how happy I am registering agents on Windows with no external-tools needed haha |
|
@snaow: I appreciate it! :) The password-protection sounds promising. Think I'll give that a go. Thanks for the tip! It really helps, doesn't it? We have a tricky situation where we need to deploy a lot of agents on Windows machines during tight change-windows, and being able to use agent-auth certainly is helping with that! :) |
|
So I've noticed that this Windows version of the agent-auth utility doesn't support the -v flag to supply a CA certificate. But I also see some comments back and forth about native SSL vs. OpenSSL. I confess I'm a novice when it comes to certificates and authentication, so can someone tell me: does this (windows) agent-auth utility handle the use of a certificate during authentication with the ossec-authd service? Even if it involves adding a certificate to Windows' store... would that work? |
|
How long until this gets merged and make into a release? |
| @@ -20,6 +20,7 @@ ${MING_BASE}-gcc -o ossec-agent.exe -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWI | |||
| ${MING_BASE}-gcc -o ossec-agent-eventchannel.exe -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DOSSECHIDS -DEVENTCHANNEL_SUPPORT icon.o os_regex/*.c os_net/*.c os_xml/*.c zlib-1.2.8/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/sha1/*.c os_crypto/md5_sha1/*.c os_crypto/shared/*.c rootcheck/*.c *.c -Iheaders/ -I./ -lwsock32 -lwevtapi | |||
| ${MING_BASE}-gcc -o ossec-rootcheck.exe -Wall -DARGV0=\"ossec-rootcheck\" -DCLIENT -DWIN32 icon.o os_regex/*.c os_net/*.c os_xml/*.c config/*.c shared/*.c win_service.c rootcheck/*.c -Iheaders/ -I./ -lwsock32 | |||
| ${MING_BASE}-gcc -o manage_agents.exe -Wall -DARGV0=\"manage-agents\" -DCLIENT -DWIN32 -DMA os_regex/*.c zlib-1.2.8/*.c os_zlib.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/shared/*.c addagent/*.c -Iheaders/ -I./ -lwsock32 -lshlwapi | |||
| ${MING_BASE}-gcc -o agent-auth.exe -Wall -DARGV0=\"agent-auth\" -DCLIENT -DWIN32 os_auth/agent_auth.c shared/*.c os_regex/*.c os_net/*.c os_crypto/md5/*.c win_service.c addagent/validate.c -Iheaders/ -I./ -lwsock32 -lsecur32 | |||
There was a problem hiding this comment.
os_auth/agent_auth.c -> agent_auth.c
win_service.c -> win32/win_service.c
|
Is agent-auth now working correctly for automation purposes on windows? Also @snaow your link doesn't work anymore, just FYI. |
|
@stevenmdatt agent-auth is working properly in Wazuh fork, I've been using it every day since a few months ago. You can download the release .msi and extract the agent-auth.exe tool from there: It should be compatible with OSSEC 2.8/2.9. |
|
There's an |
|
+1 to this PR. It would be very valuable to have this merged in. |
|
@JLeClerc Does it work? |
|
Closing this one out since we finished implementing this in another PR. Thanks for everyones contributions on this PR. Much appreciated everyone! You can find this functionality in OSSEC 3.0.0, with enhancements already on the way for 3.0.1 |
Add agent_auth functionnality to Windows.
Note that this is the same level of functionnality currently provided on UNIX: there is no authentication, resulting in poor security.
This change is