Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPIKE - Initial registration system design #23393

Closed
Tracked by #22677
Selutario opened this issue May 14, 2024 · 7 comments
Closed
Tracked by #22677

SPIKE - Initial registration system design #23393

Selutario opened this issue May 14, 2024 · 7 comments
Assignees
@nico-stefani @fdalmaup
Labels
level/subtask phase/spike Spike type/research

Comments

@Selutario
Copy link
Contributor

Selutario commented May 14, 2024
edited by havidarou
Loading

Epic
#22677

Description

We intend to replace the current agent registration system as part of #22677. The new system should rely on the Wazuh indexer to perform this task, thus getting rid of the current plain text registry keys (client.keys). Since all agent information will be stored in the indexer, global.db will also disappear. All Server management API endpoints that use global.db must be reviewed.

The registration information should now be stored in an index, which will be populated by the Server management API and later queried by the Agent comms API service during agent connection.

The Server management API should take care of:

  1. Accept a UUID.
  2. In addition to the ID, the API must generate credentials for the client (possibly a token), insert them into the indexer and wait until a response is obtained.
  3. The API must send the generated credentials to the client.

This spike is a research issue to identify what components and endpoints will be affected by the changes, and how.

Implementation restrictions

  • The accepted UUID must be generated using UUID v7.
  • The opensearch-py library should be considered for API-Indexer communication.
  • There must be a new default user containing the unique and essential permissions to perform registration.
  • The request should not be canceled halfway (for example, credentials are inserted into the indexer but not returned to the user due to timeout). We must try to turn it into an atomic operation.

Plan

  • New registration system.
    • List all endpoints in the current API that will be affected by the new registration system.
    • Research, define and design the changes that should be made to each of the identified endpoints.
  • Removal of wazuh-db.
    • List all endpoints and components that will be affected by the removal of wazuh-db (RBAC, fleet management, etc.).
    • Research, define and design the necessary changes for them to keep working.
@Selutario Selutario changed the title [Spike] Initial registration system design SPIKE - Initial registration system design May 14, 2024
@havidarou havidarou mentioned this issue May 23, 2024
Open
6 tasks
@GGP1 GGP1 mentioned this issue May 31, 2024
Closed
@fdalmaup fdalmaup self-assigned this Jun 4, 2024
@nico-stefani nico-stefani self-assigned this Jun 4, 2024
@fdalmaup
Copy link
Member

fdalmaup commented Jun 4, 2024
edited
Loading

Initial affected endpoints list

The client.keys file is read by the wazuh.core.agent.get_agents_info function in several endpoints, these include:

Endpoint Controller
DELETE /agents api.controllers.agent_controller.delete_agents
GET /agents api.controllers.agent_controller.get_agents
POST /agents api.controllers.agent_controller.add_agent
GET /agents/summary/status api.controllers.agent_controller.get_agent_summary_status
GET /agents/summary/os api.controllers.agent_controller.get_agent_summary_os
GET /agents/stats/distinct api.controllers.agent_controller.get_agent_fields
PUT /agents/reconnect api.controllers.agent_controller.reconnect_agents
PUT /agents/node/{node_id}/restart api.controllers.agent_controller.restart_agents_by_node
GET /agents/no_group api.controllers.agent_controller.get_agent_no_group
GET /agents/{agent_id}/key api.controllers.agent_controller.get_agent_key
PUT /agents/group api.controllers.agent_controller.put_multiple_agent_single_group
DELETE /agents/group api.controllers.agent_controller.delete_multiple_agent_single_group
GET /agents/{agent_id}/group/is_sync api.controllers.agent_controller.get_sync_agent
DELETE /agents/{agent_id}/group/{group_id} api.controllers.agent_controller.delete_single_agent_single_group
DELETE /agents/{agent_id}/group api.controllers.agent_controller.delete_single_agent_multiple_groups
PUT /agents/{agent_id}/group/{group_id} api.controllers.agent_controller.put_agent_single_group
GET /agents/outdated api.controllers.agent_controller.get_agent_outdated
PUT /agents/upgrade_custom api.controllers.agent_controller.put_upgrade_custom_agents
PUT /agents/upgrade api.controllers.agent_controller.put_upgrade_agents
GET /agents/upgrade_result api.controllers.agent_controller.get_agent_upgrade

The data returned by the get_agents_info function will be obtained from the Indexer Agents list. The list, and therefore a request to the indexer, should be modified when an agent is registered or removed.

@fdalmaup
Copy link
Member

fdalmaup commented Jun 5, 2024
edited
Loading

New registration system

Agent registry

The current endpoints fulfilling the task of registering agents are:

  • POST /agents (Controller: api.controllers.agent_controller.add_agent): basic agent adding behavior.
  • POST /agents/insert (Controller: api.controllers.agent_controller.insert_agent): Adds a new agent specifying its name, ID, and IP. The key can also be defined and it can be forced, i.e., removes the old agent with the same name, ID, or IP if the configuration is matched
  • POST /agents/insert/quick (Controller: api.controllers.agent_controller.post_new_agent): Adds a new agent just passing its name.

The three endpoints use the wazuh.agent.add_agent function, the difference resides in the accepted parameters that determine the behavior throughout the endpoint execution flow. Both POST /agents/insert and POST /agents/insert/quick could be removed from the current Server Management API since their added value resides in the definition of a single accepted parameter or extra parameters.

Basic behavior review

The request body is a JSON object containing the name (name, required) and the IP address (ip, not required) of the agent to add. Since one of the new protocol's Implementation restrictions is that the Agents will generate a UUID per installation., a new uuid field should be added to the request body:

{
  "uuid": "string",   // Required
  "name": "string", // Not required
  "ip": "string"        // Not required
}

One of the central classes to modify is wazuh.core.agent.Agent. It is currently being instantiated by the endpoint to add it via authd (which will be removed) and contains the _add method to check the expected format of the passed parameters and the _add_authd private method to send the command to authd. This last method should be refactored in favor of a method that communicates the insertion of the agent to the Indexer.

Another possible parameter would be the public key proposed here for the agent authentication. This is yet to be discussed with the team. (June 6th update: this alternative has been discarded since it would involve making requests to the indexer to obtain the public key associated with the agent UUID each time the agent requests the Agent API).

RBAC permission

Regarding the permissions to perform registration, currently the agent:create action is the only required one.

Proposal for the communication with the indexer

The indexer should be requested to check if the agent to be registered already exists in its Agents list checking the uuid, name, and ip. If so, a response containing an error code like 1705 or 1706 (and a new one for already existent uuid) should be returned.

If the agent corresponds to a new one being registered, the wazuh.core.agent.Agent._add method will send the request to the indexer to add it to the Agents list.

It must be determined how and what information will be requested from the indexer, which will be done once there is greater precision of the data that it will store in the Agents List.

Agent removal

The DELETE /agents endpoint is the one in charge of removing the registered agents.

Query Parameters and behavior review

The current query parameters are:

  • agents_list: List of agent IDs (required)
  • purge: Permanently delete an agent from the key store
  • query: Query to filter results by
  • status: Filter by agent status (required)
  • older_than: Consider only agents whose last keep alive is older than the specified time frame.
  • os.platform: Filter by OS platform
  • os.version: Filter by OS version
  • os.name: Filter by OS name
  • manager_host: Filter by manager hostname where agents are connected to
  • version: Filter by agents version
  • agent_group: Filter by group of agents
  • node_name: Filter by node name
  • name: Filter by name
  • ip: Filter by the IP used by the agent to communicate with the manager
  • registerIP: Filter by the IP used when registering the agent

Behavior to be removed/modified:

  • The parameters used to filter the agents to remove are used by WazuhDBQueryAgents in the wazuh.agent.delete_agents function (as already mentioned below). This behavior will be removed.
  • The agent 000 is being taken into account in the function. This will be removed since the manager and agent will be separated.
  • For each agent in the filtered list (containing valid agents to be removed), the wazuh.agent.delete_agents function instantiates a wazuh.core.agent.Agent object and calls the .remove method. Internally, this method calls wazuh.core.agent.Agent._remove_authd which sends the command to authd to delete the agent.

RBAC permission

Proposal for the communication with the indexer

The current validation which involves the client.keys file and querying wazuh-db should be replaced with a request to the Indexer's Agents List to check the existence of the agents to remove. In said request, the current filters could be of aid, so we should analyze if the Agents List contains them or if another component needs to be consulted.

After the checking step, the request to the indexer to delete the registered agent would be carried out.

@nico-stefani
Copy link
Member

nico-stefani commented Jun 5, 2024
edited by vikman90
Loading

Components and endpoints that access Wazuh DB

Cluster components that access Wazuh DB trough AsyncWazuhDBConnection

  • framework.wazuh.core.cluster.common.WazuhCommon.recalculate_group_hash
  • framework.wazuh.core.cluster.common.send_data_to_wdb
  • framework.wazuh.core.cluster.master.MasterHandler.hello
  • framework.wazuh.core.cluster.master.MasterHandler.send_entire_agent_groups_information
  • framework.wazuh.core.cluster.master.MasterHandler.agent_groups_update
  • framework.wazuh.core.cluster.worker.WorkerHandler.compare_agent_groups_checksums
  • framework.wazuh.core.cluster.worker.WorkerHandler.sync_agent_info

Framework components that access Wazuh DB

Trough WazuhDBConnection

  • framework.wazuh.__init__.Wazuh._initialize
  • framework.wazuh.rootcheck.clear
  • framework.wazuh.syscheck.clear
  • framework.wazuh.core.agent.Agent.get_agent_groups
  • framework.wazuh.core.agent.Agent.set_agent_group_relationship
  • framework.wazuh.core.agent.expand_group
  • framework.wazuh.core.agent.get_manager_name
  • framework.wazuh.core.rootcheck.last_scan
  • framework.wazuh.core.rootcheck.rootcheck_delete_agent
  • framework.wazuh.core.rootcheck.syscheck_delete_agent
  • framework.wazuh.core.utils.WazuhDBBackend.connect_to_db

Trough any of the classes WazuhDBQueryAgents, WazuhDBQueryDistinctAgents, WazuhDBQueryGroupByAgents, WazuhDBQueryMultigroup

  • framework.wazuh.agent.get_agents_summary_status
  • framework.wazuh.agent.get_agents_summary_os
  • framework.wazuh.agent.get_distinct_agents
  • framework.wazuh.agent.restart_agents
  • framework.wazuh.agent.get_agents
  • framework.wazuh.agent.delete_agents
  • framework.wazuh.agent.get_outdated_agents
  • framework.wazuh.agent.upgrade_agents
  • framework.wazuh.agent.get_upgrade_result
  • framework.wazuh.rootcheck.run
  • framework.wazuh.stats.get_daemons_stats_agents
  • framework.wazuh.syscheck.run
  • framework.wazuh.syscheck.clear
  • framework.wazuh.core.agent.Agent.load_info_from_db
  • framework.wazuh.core.agent.Agent.get_agent_os_name
  • framework.wazuh.core.agent.Agent.get_agents_overview

Trough WazuhDBQueryGroup

  • framework.wazuh.agent.get_agents_groups

Trough any of the classes WazuhDBQueryMitre, WazuhDBQueryMitreMetadata, WazuhDBQueryMitreRelational, WazuhDBQueryMitreRelationalPhase, WazuhDBQueryMitreRelationalMitigate, WazuhDBQueryMitreRelationalUse, WazuhDBQueryMitreMitigations, WazuhDBQueryMitreReferences, WazuhDBQueryMitreTactics, WazuhDBQueryMitreTechniques, WazuhDBQueryMitreGroups, WazuhDBQueryMitreSoftware

  • framework.wazuh.mitre.mitre_metadata
  • framework.wazuh.mitre.mitre_mitigations
  • framework.wazuh.mitre.mitre_references
  • framework.wazuh.mitre.mitre_tactics
  • framework.wazuh.mitre.mitre_techniques
  • framework.wazuh.mitre.mitre_groups
  • framework.wazuh.mitre.mitre_software

Trough WazuhDBQueryRootcheck

  • framework.wazuh.rootcheck.get_rootcheck_agent

Trough any of the classes WazuhDBQuerySCA, WazuhDBQuerySCACheck, WazuhDBQuerySCACheckIDs, WazuhDBQuerySCACheckRelational, WazuhDBQueryDistinctSCACheck

  • framework.wazuh.sca.get_sca_list
  • framework.wazuh.sca.get_sca_checks

Trough WazuhDBQuerySyscheck

  • framework.wazuh.syscheck.last_scan
  • framework.wazuh.syscheck.files

Trough WazuhDBQuerySyscollector

  • framework.wazuh.ciscat.get_ciscat_results
  • framework.wazuh.syscollector.get_item_agent

Trough WazuhDBQueryTask

  • framework.wazuh.task.get_task_status

API endpoints that access Wazuh DB trough framework functions

Endpoint Controller Framework Function Deprecated
❌ DELETE /experimental/rootcheck api.controllers.experimental_controller.clear_rootcheck_database framework.wazuh.rootcheck.clear No
❌ DELETE /rootcheck/{agent_id} api.controllers.rootcheck_controller.delete_rootcheck framework.wazuh.rootcheck.clear No
❌ DELETE /experimental/syscheck api.controllers.rootcheck_controller.clear_syscheck_database framework.wazuh.syscheck.clear Yes
❌ GET /agents/summary/status api.controllers.agent_controller.get_agent_summary_status framework.wazuh.agent.get_agents_summary_status No
❌ GET /agents/stats/distinct api.controllers.agent_controller.get_agent_fields framework.wazuh.agent.get_distinct_agents No
PUT /agents/restart api.controllers.agent_controller.restart_agents framework.wazuh.agent.restart_agents No
PUT /agents/{agent_id}/restart api.controllers.agent_controller.restart_agent framework.wazuh.agent.restart_agents No
❌ GET /agents api.controllers.agent_controller.get_agents framework.wazuh.agent.get_agents No
❌ GET /agents/no_group api.controllers.agent_controller.get_agent_no_group framework.wazuh.agent.get_agents No
❌ DELETE /agents api.controllers.agent_controller.delete_agents framework.wazuh.agent.delete_agents No
❌ GET /agents/outdated api.controllers.agent_controller.get_agent_outdated framework.wazuh.agent.get_outdated_agents No
PUT /agents/upgrade api.controllers.agent_controller.put_upgrade_agents framework.wazuh.agent.upgrade_agents No
PUT /agents/upgrade_custom api.controllers.agent_controller.put_upgrade_custom_agents framework.wazuh.agent.upgrade_agents No
GET /agents/upgrade_result api.controllers.agent_controller.get_agent_upgrade framework.wazuh.agent.get_upgrade_result No
❌ PUT /rootcheck api.controllers.rootcheck_controller.put_rootcheck framework.wazuh.rootcheck.run No
❓GET /agents/{agent_id}/daemons/stats api.controllers.agent_controller.get_daemon_stats framework.wazuh.stats.get_daemons_stats_agents No
❌ PUT /syscheck api.controllers.syscheck_controller.put_syscheck framework.wazuh.syscheck.run No
❌ DELETE /syscheck/{agent_id} api.controllers.syscheck_controller.delete_syscheck_agent framework.wazuh.stats.syscheck.clear Yes
❌ GET /mitre/metadata api.controllers.mitre_controller.get_metadata framework.wazuh.mitre.mitre_metadata No
❌ GET /mitre/mitigations api.controllers.mitre_controller.get_mitigations framework.wazuh.mitre.mitre_mitigations No
❌ GET /mitre/references api.controllers.mitre_controller.get_references framework.wazuh.mitre.mitre_references No
❌ GET /mitre/tactics api.controllers.mitre_controller.get_tactics framework.wazuh.mitre.mitre_tactics No
❌ GET /mitre/techniques api.controllers.mitre_controller.get_techniques framework.wazuh.mitre.mitre_techniques No
❌ GET /mitre/groups api.controllers.mitre_controller.get_groups framework.wazuh.mitre.mitre_groups No
❌ GET /mitre/software api.controllers.mitre_controller.get_software framework.wazuh.mitre.mitre_software No
❌ GET /rootcheck/{agent_id} api.controllers.rootcheck_controller.get_rootcheck_agent framework.wazuh.rootcheck.get_rootcheck_agent No
❌ GET /sca/{agent_id} api.controllers.sca_controller.get_sca_agent framework.wazuh.rootcheck.get_rootcheck_agent No
❌ GET /sca/{agent_id}/checks/{policy_id} api.controllers.sca_controller.get_sca_checks framework.wazuh.sca.get_sca_checks No
❌ GET /syscheck/{agent_id}/last_scan api.controllers.syscheck_controller.get_last_scan_agent framework.wazuh.syscheck.last_scan No
❌ GET /syscheck/{agent_id} api.controllers.syscheck_controller.get_syscheck_agent framework.wazuh.syscheck.files Yes
❌ GET /ciscat/{agent_id}/results api.controllers.ciscat_controller.get_agents_ciscat_results framework.wazuh.ciscat.get_ciscat_results No
❌ GET /experimental/syscollector/hardware api.controllers.experimental_controller.get_hardware_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /experimental/syscollector/netaddr api.controllers.experimental_controller.get_network_address_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /experimental/syscollector/netiface api.controllers.experimental_controller.get_network_interface_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /experimental/syscollector/netproto api.controllers.experimental_controller.get_network_protocol_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /experimental/syscollector/os api.controllers.experimental_controller.get_os_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /experimental/syscollector/packages api.controllers.experimental_controller.get_packages_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /experimental/syscollector/ports api.controllers.experimental_controller.get_ports_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /experimental/syscollector/processes api.controllers.experimental_controller.get_processes_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /experimental/syscollector/hotfixes api.controllers.experimental_controller.get_hotfixes_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/hardware api.controllers.syscollector_controller.get_hardware_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/netaddr api.controllers.syscollector_controller.get_network_address_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/netiface api.controllers.syscollector_controller.get_network_interface_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/netproto api.controllers.syscollector_controller.get_network_protocol_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/os api.controllers.syscollector_controller.get_os_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/packages api.controllers.syscollector_controller.get_packages_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/ports api.controllers.syscollector_controller.get_ports_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/processes api.controllers.syscollector_controller.get_processes_info framework.wazuh.syscollector.get_item_agent Yes
❌ GET /syscollector/hotfixes api.controllers.syscollector_controller.get_hotfixes_info framework.wazuh.syscollector.get_item_agent Yes
GET /tasks/status api.controllers.task_controller.get_tasks_status framework.wazuh.task.get_task_status No

@nico-stefani
Copy link
Member

Needed changes to replace Wazuh DB

To replace the Wazuh DB, with the new data source, we will modify all the classes that talk with.

Starting with the connectors:

  • AsyncWazuhDBConnection
  • WazuhDBConnection

And following with query builders:

  • WazuhDBQueryAgents
  • WazuhDBQueryDistinctAgents
  • WazuhDBQueryGroupByAgents
  • WazuhDBQueryMultigroup
  • WazuhDBQueryGroup
  • WazuhDBQueryMitre*
  • WazuhDBQueryRootcheck
  • WazuhDBQuerySCA*
  • WazuhDBQuerySyscheck
  • WazuhDBQuerySyscollector

It is necessary to mention whether we still need to keep the current class structure in this new implementation of the data model. Or if we can think of a new one.

Once the data layer is defined and implemented, the next step will be replacing the old WDB calls with the new ones.

Client to access data

Regarding the opensearch-py library, the async client that is provided is based on aiohttp.

This is an important issue to have in mind because it will be necessary to add a new set of dependencies

(tmp) ➜  ~ pip freeze
aiohttp==3.9.5
aiosignal==1.3.1
async-timeout==4.0.3
attrs==23.2.0
certifi==2024.6.2
charset-normalizer==3.3.2
Events==0.5
frozenlist==1.4.1
idna==3.7
multidict==6.0.5
opensearch-py==2.6.0
python-dateutil==2.9.0.post0
requests==2.32.3
six==1.16.0
urllib3==2.2.1
yarl==1.9.4

This matter will also be relevant to #23395 because the async component is an important key regarding the scalability and ability to handle high loads of requests.

@fdalmaup
Copy link
Member

fdalmaup commented Jun 7, 2024
edited
Loading

New agent registration sequence diagram

Register agent

image

PlantUML code 
@startuml

actor User as user
participant Agent as agent

box "Server" 
participant ServerMgmtAPI as server_management_API
endbox

box "Indexer" #LightBlue
participant AgentsList as agents_list
endbox

== Register agent ==

user -> agent++ : register {user, password}
agent -> server_management_API : POST /authenticate {user, password}
server_management_API -> agent : API token
agent -> server_management_API : POST /agents {uuid, name , ip}
server_management_API -> agents_list : Get Agents list related data
agents_list -> server_management_API : Agents list data
server_management_API -> server_management_API : Check retrieved data
server_management_API -> agents_list : Create new agent related data {uuid, name, ip, key}
agents_list -> server_management_API : agent creation confirmation
server_management_API -> agent : agent key
agent -> user-- : result
@enduml

Note

This first "two requests" to the indexer approach could be enhanced by making a single one, trying to create the agent entry in the Agents List by using the index method with the op_type set to create. If the document exists, the operation will fail, which we could use to raise the error without checking the registered agents.

Remove agent

image

Note

The agents_list can be composed of one or more agent's uuids

Note

Similar to the previous case, another approach would be to try deleting the agent in a single request and analyze the indexer's response to determine if this was successful (the agent did not exist, an error arose, etc.)

PlantUML code ``` @startuml actor User as user participant Agent as agent

box "Server"
participant ServerMgmtAPI as server_management_API
endbox

box "Indexer" #LightBlue
participant AgentsList as agents_list
endbox

== Remove agent ==

user -> agent++ : remove {user, password}
agent -> server_management_API : POST /authenticate {user, password}
server_management_API -> agent : API token
agent -> server_management_API : DELETE /agents {agents_list, filters}
server_management_API -> agents_list : Get Agents list related data {filters}
agents_list -> server_management_API : Agents list data
server_management_API -> server_management_API : Check retrieved data
server_management_API -> agents_list : Delete agent {agents_list}
agents_list -> server_management_API : agent deletion confirmation
server_management_API -> agent : result
agent -> user-- : result
@enduml


</details>

@vikman90 vikman90 added the phase/spike Spike label Jun 11, 2024
@nico-stefani
Copy link
Member

nico-stefani commented Jun 12, 2024
edited by Selutario
Loading

Status for the complete list of endpoints for 5.0

Symbol Meaning
✔️ The endpoint must remain
The endpoint must be removed
To discuss
Endpoint Status
GET / ✔️
PUT /active-response ✔️
DELETE /agents
GET /agents
POST /agents ✔️ Rename to /register
GET /agents/{agent_id}/config/{component}/{configuration} ✔️
DELETE /agents/{agent_id}/group ❓ (in 55000 as a wrapper or new endpoints in opensearch)
GET /agents/{agent_id}/group/is_sync
DELETE /agents/{agent_id}/group/{group_id} ❓ (in 55000 as a wrapper or new endpoints in opensearch)
PUT /agents/{agent_id}/group/{group_id} ❓ (in 55000 as a wrapper or new endpoints in opensearch)
GET /agents/{agent_id}/key
PUT /agents/{agent_id}/restart ✔️
GET /agents/{agent_id}/daemons/stats
GET /agents/{agent_id}/stats/{component}
PUT /agents/upgrade ✔️
PUT /agents/upgrade_custom ✔️
GET /agents/upgrade_result
DELETE /agents/group ❓ (in 55000 as a wrapper or new endpoints in opensearch)
PUT /agents/group ❓ (in 55000 as a wrapper or new endpoints in opensearch)
PUT /agents/group/{group_id}/restart ✔️
POST /agents/insert
POST /agents/insert/quick
GET /agents/no_group
PUT /agents/node/{node_id}/restart ✔️
GET /agents/outdated
PUT /agents/reconnect ✔️
PUT /agents/restart ✔️
GET /agents/stats/distinct
GET /agents/summary/os
GET /agents/summary/status
DELETE /groups ✔️
GET /groups ✔️
POST /groups ✔️
GET /groups/{group_id}/agents
GET /groups/{group_id}/configuration ✔️
PUT /groups/{group_id}/configuration ✔️
GET /groups/{group_id}/files ✔️
GET /groups/{group_id}/files/{file_name} ✔️
GET /ciscat/{agent_id}/results
GET /cluster/local/info ✔️
GET /cluster/local/config ✔️
GET /cluster/nodes ✔️
GET /cluster/healthcheck ✔️
GET /cluster/ruleset/synchronization ✔️
GET /cluster/status ✔️
GET /cluster/api/config ✔️
GET /cluster/{node_id}/status ✔️
GET /cluster/{node_id}/info ✔️
GET /cluster/{node_id}/configuration ✔️
PUT /cluster/{node_id}/configuration ✔️
GET /cluster/{node_id}/daemons/stats
GET /cluster/{node_id}/stats
GET /cluster/{node_id}/stats/hourly
GET /cluster/{node_id}/stats/weekly
GET /cluster/{node_id}/stats/analysisd
GET /cluster/{node_id}/stats/remoted
GET /cluster/{node_id}/logs ✔️
GET /cluster/{node_id}/logs/summary ✔️
PUT /cluster/restart ✔️
GET /cluster/configuration/validation ✔️
GET /cluster/{node_id}/configuration/{component}/{configuration} ✔️
GET /lists ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /lists/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
PUT /lists/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
DELETE /lists/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /lists/files ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
PUT /logtest ✔️
DELETE /logtest/sessions/{token} ✔️
GET /manager/status ✔️
GET /manager/info ✔️
GET /manager/configuration ✔️
PUT /manager/configuration ✔️
GET /manager/daemons/stats
GET /manager/stats
GET /manager/stats/hourly
GET /manager/stats/weekly
GET /manager/stats/analysisd
GET /manager/stats/remoted
GET /manager/logs ✔️
GET /manager/logs/summary ✔️
GET /manager/api/config ✔️
PUT /manager/restart ✔️
GET /manager/configuration/validation ✔️
GET /manager/configuration/{component}/{configuration} ✔️
GET /manager/version/check ✔️
GET /mitre/groups
GET /mitre/metadata
GET /mitre/mitigations
GET /mitre/references
GET /mitre/software
GET /mitre/tactics
GET /mitre/techniques
PUT /rootcheck
GET /rootcheck/{agent_id}
GET /rootcheck/{agent_id}/last_scan
GET /rules ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /rules/groups ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /rules/requirement/{requirement} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /rules/files ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /rules/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
PUT /rules/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
DELETE /rules/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /sca/{agent_id}
GET /sca/{agent_id}/checks/{policy_id}
PUT /syscheck
GET /syscheck/{agent_id}
DELETE /syscheck/{agent_id}
GET /syscheck/{agent_id}/last_scan
GET /decoders ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /decoders/files ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /decoders/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
PUT /decoders/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
DELETE /decoders/files/{filename} ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
GET /decoders/parents ❓ (ruleset management will remain in 55000, but with different endpoints and parameters)
DELETE /experimental/rootcheck
DELETE /experimental/syscheck
GET /experimental/ciscat/results
GET /experimental/syscollector/hardware
GET /experimental/syscollector/netaddr
GET /experimental/syscollector/netiface
GET /experimental/syscollector/netproto
GET /experimental/syscollector/os
GET /experimental/syscollector/packages
GET /experimental/syscollector/ports
GET /experimental/syscollector/processes
GET /experimental/syscollector/hotfixes
GET /syscollector/{agent_id}/hardware
GET /syscollector/{agent_id}/hotfixes
GET /syscollector/{agent_id}/netaddr
GET /syscollector/{agent_id}/netiface
GET /syscollector/{agent_id}/netproto
GET /syscollector/{agent_id}/os
GET /syscollector/{agent_id}/packages
GET /syscollector/{agent_id}/ports
GET /syscollector/{agent_id}/processes
POST /security/user/authenticate ✔️
GET /security/user/authenticate
DELETE /security/user/authenticate ✔️
POST /security/user/authenticate/run_as ✔️
GET /security/users/me ✔️
GET /security/users/me/policies ✔️
GET /security/user/revoke ✔️
PUT /security/users/{user_id}/run_as ✔️
GET /security/actions ✔️
GET /security/resources ✔️
GET /security/users ✔️
POST /security/users ✔️
DELETE /security/users ✔️
PUT /security/users/{user_id} ✔️
GET /security/roles ✔️
POST /security/roles ✔️
DELETE /security/roles ✔️
GET /security/roles/{role_id} ✔️
GET /security/rules ✔️
POST /security/rules ✔️
DELETE /security/rules ✔️
PUT /security/rules/{rule_id} ✔️
GET /security/policies ✔️
POST /security/policies ✔️
DELETE /security/policies ✔️
PUT /security/policies/{policy_id} ✔️
POST /security/users/{user_id}/roles ✔️
DELETE /security/users/{user_id}/roles ✔️
POST /security/roles/{role_id}/policies ✔️
DELETE /security/roles/{role_id}/policies ✔️
POST /security/roles/{role_id}/rules ✔️
DELETE/security/roles/{role_id}/rules ✔️
GET /overview/agents
GET /security/config ✔️
PUT /security/config ✔️
DELETE /security/config ✔️
GET /tasks/status
POST /events

@Selutario Selutario mentioned this issue Jun 13, 2024
Closed
@fdalmaup fdalmaup mentioned this issue Jun 20, 2024
Closed
@Selutario
Copy link
Contributor Author

Selutario commented Jun 21, 2024
edited
Loading

Conclusion

  • All code dedicated to creating sql queries and communicating with wazuh-db will be removed from the framework.
  • Most GET endpoints that get data from wazuh-db will be removed. The information they previously offered will disappear or will be searchable in the indexer's API. The complete list of affected endpoints can be seen here.
  • Registration will be done through the POST /agents endpoint or a variant renamed to POST /endpoints. Its operation will be very similar, with the difference that it will store the data in the Wazuh indexer. The workflow can be seen here. In the MVP we decide how to ensure that this process is carried out before returning a timeout (or how to cancel the task if that happens).

@Selutario Selutario mentioned this issue Jun 24, 2024
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nico-stefani nico-stefani

@fdalmaup fdalmaup

Labels
level/subtask phase/spike Spike type/research
Projects
Release 5.0.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nico-stefani @vikman90 @Selutario @fdalmaup