-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPIKE - Initial registration system design #23393
Comments
Initial affected endpoints listThe
The data returned by the |
New registration systemAgent registryThe current endpoints fulfilling the task of registering agents are:
The three endpoints use the Basic behavior reviewThe request body is a JSON object containing the name ( {
"uuid": "string", // Required
"name": "string", // Not required
"ip": "string" // Not required
} One of the central classes to modify is Another possible parameter would be the public key proposed here for the agent authentication. This is yet to be discussed with the team. (June 6th update: this alternative has been discarded since it would involve making requests to the indexer to obtain the public key associated with the agent UUID each time the agent requests the Agent API). RBAC permissionRegarding the permissions to perform registration, currently the Proposal for the communication with the indexerThe indexer should be requested to check if the agent to be registered already exists in its Agents list checking the If the agent corresponds to a new one being registered, the It must be determined how and what information will be requested from the indexer, which will be done once there is greater precision of the data that it will store in the Agent removalThe Query Parameters and behavior reviewThe current query parameters are:
Behavior to be removed/modified:
RBAC permissionProposal for the communication with the indexerThe current validation which involves the After the checking step, the request to the indexer to delete the registered agent would be carried out. |
Components and endpoints that access Wazuh DBCluster components that access Wazuh DB trough
|
Endpoint | Controller | Framework Function | Deprecated |
---|---|---|---|
❌ DELETE /experimental/rootcheck | api.controllers.experimental_controller.clear_rootcheck_database |
framework.wazuh.rootcheck.clear |
No |
❌ DELETE /rootcheck/{agent_id} | api.controllers.rootcheck_controller.delete_rootcheck |
framework.wazuh.rootcheck.clear |
No |
❌ DELETE /experimental/syscheck | api.controllers.rootcheck_controller.clear_syscheck_database |
framework.wazuh.syscheck.clear |
Yes |
❌ GET /agents/summary/status | api.controllers.agent_controller.get_agent_summary_status |
framework.wazuh.agent.get_agents_summary_status |
No |
❌ GET /agents/stats/distinct | api.controllers.agent_controller.get_agent_fields |
framework.wazuh.agent.get_distinct_agents |
No |
PUT /agents/restart | api.controllers.agent_controller.restart_agents |
framework.wazuh.agent.restart_agents |
No |
PUT /agents/{agent_id}/restart | api.controllers.agent_controller.restart_agent |
framework.wazuh.agent.restart_agents |
No |
❌ GET /agents | api.controllers.agent_controller.get_agents |
framework.wazuh.agent.get_agents |
No |
❌ GET /agents/no_group | api.controllers.agent_controller.get_agent_no_group |
framework.wazuh.agent.get_agents |
No |
❌ DELETE /agents | api.controllers.agent_controller.delete_agents |
framework.wazuh.agent.delete_agents |
No |
❌ GET /agents/outdated | api.controllers.agent_controller.get_agent_outdated |
framework.wazuh.agent.get_outdated_agents |
No |
PUT /agents/upgrade | api.controllers.agent_controller.put_upgrade_agents |
framework.wazuh.agent.upgrade_agents |
No |
PUT /agents/upgrade_custom | api.controllers.agent_controller.put_upgrade_custom_agents |
framework.wazuh.agent.upgrade_agents |
No |
GET /agents/upgrade_result | api.controllers.agent_controller.get_agent_upgrade |
framework.wazuh.agent.get_upgrade_result |
No |
❌ PUT /rootcheck | api.controllers.rootcheck_controller.put_rootcheck |
framework.wazuh.rootcheck.run |
No |
❓GET /agents/{agent_id}/daemons/stats | api.controllers.agent_controller.get_daemon_stats |
framework.wazuh.stats.get_daemons_stats_agents |
No |
❌ PUT /syscheck | api.controllers.syscheck_controller.put_syscheck |
framework.wazuh.syscheck.run |
No |
❌ DELETE /syscheck/{agent_id} | api.controllers.syscheck_controller.delete_syscheck_agent |
framework.wazuh.stats.syscheck.clear |
Yes |
❌ GET /mitre/metadata | api.controllers.mitre_controller.get_metadata |
framework.wazuh.mitre.mitre_metadata |
No |
❌ GET /mitre/mitigations | api.controllers.mitre_controller.get_mitigations |
framework.wazuh.mitre.mitre_mitigations |
No |
❌ GET /mitre/references | api.controllers.mitre_controller.get_references |
framework.wazuh.mitre.mitre_references |
No |
❌ GET /mitre/tactics | api.controllers.mitre_controller.get_tactics |
framework.wazuh.mitre.mitre_tactics |
No |
❌ GET /mitre/techniques | api.controllers.mitre_controller.get_techniques |
framework.wazuh.mitre.mitre_techniques |
No |
❌ GET /mitre/groups | api.controllers.mitre_controller.get_groups |
framework.wazuh.mitre.mitre_groups |
No |
❌ GET /mitre/software | api.controllers.mitre_controller.get_software |
framework.wazuh.mitre.mitre_software |
No |
❌ GET /rootcheck/{agent_id} | api.controllers.rootcheck_controller.get_rootcheck_agent |
framework.wazuh.rootcheck.get_rootcheck_agent |
No |
❌ GET /sca/{agent_id} | api.controllers.sca_controller.get_sca_agent |
framework.wazuh.rootcheck.get_rootcheck_agent |
No |
❌ GET /sca/{agent_id}/checks/{policy_id} | api.controllers.sca_controller.get_sca_checks |
framework.wazuh.sca.get_sca_checks |
No |
❌ GET /syscheck/{agent_id}/last_scan | api.controllers.syscheck_controller.get_last_scan_agent |
framework.wazuh.syscheck.last_scan |
No |
❌ GET /syscheck/{agent_id} | api.controllers.syscheck_controller.get_syscheck_agent |
framework.wazuh.syscheck.files |
Yes |
❌ GET /ciscat/{agent_id}/results | api.controllers.ciscat_controller.get_agents_ciscat_results |
framework.wazuh.ciscat.get_ciscat_results |
No |
❌ GET /experimental/syscollector/hardware | api.controllers.experimental_controller.get_hardware_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /experimental/syscollector/netaddr | api.controllers.experimental_controller.get_network_address_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /experimental/syscollector/netiface | api.controllers.experimental_controller.get_network_interface_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /experimental/syscollector/netproto | api.controllers.experimental_controller.get_network_protocol_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /experimental/syscollector/os | api.controllers.experimental_controller.get_os_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /experimental/syscollector/packages | api.controllers.experimental_controller.get_packages_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /experimental/syscollector/ports | api.controllers.experimental_controller.get_ports_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /experimental/syscollector/processes | api.controllers.experimental_controller.get_processes_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /experimental/syscollector/hotfixes | api.controllers.experimental_controller.get_hotfixes_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/hardware | api.controllers.syscollector_controller.get_hardware_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/netaddr | api.controllers.syscollector_controller.get_network_address_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/netiface | api.controllers.syscollector_controller.get_network_interface_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/netproto | api.controllers.syscollector_controller.get_network_protocol_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/os | api.controllers.syscollector_controller.get_os_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/packages | api.controllers.syscollector_controller.get_packages_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/ports | api.controllers.syscollector_controller.get_ports_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/processes | api.controllers.syscollector_controller.get_processes_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
❌ GET /syscollector/hotfixes | api.controllers.syscollector_controller.get_hotfixes_info |
framework.wazuh.syscollector.get_item_agent |
Yes |
GET /tasks/status | api.controllers.task_controller.get_tasks_status |
framework.wazuh.task.get_task_status |
No |
Needed changes to replace Wazuh DBTo replace the Wazuh DB, with the new data source, we will modify all the classes that talk with. Starting with the connectors:
And following with query builders:
It is necessary to mention whether we still need to keep the current class structure in this new implementation of the data model. Or if we can think of a new one. Once the data layer is defined and implemented, the next step will be replacing the old WDB calls with the new ones. Client to access dataRegarding the This is an important issue to have in mind because it will be necessary to add a new set of dependencies (tmp) ➜ ~ pip freeze
aiohttp==3.9.5
aiosignal==1.3.1
async-timeout==4.0.3
attrs==23.2.0
certifi==2024.6.2
charset-normalizer==3.3.2
Events==0.5
frozenlist==1.4.1
idna==3.7
multidict==6.0.5
opensearch-py==2.6.0
python-dateutil==2.9.0.post0
requests==2.32.3
six==1.16.0
urllib3==2.2.1
yarl==1.9.4 This matter will also be relevant to #23395 because the async component is an important key regarding the scalability and ability to handle high loads of requests. |
New agent registration sequence diagramRegister agentPlantUML code
Note This first "two requests" to the indexer approach could be enhanced by making a single one, trying to create the agent entry in the Agents List by using the Remove agentNote The Note Similar to the previous case, another approach would be to try deleting the agent in a single request and analyze the indexer's response to determine if this was successful (the agent did not exist, an error arose, etc.) PlantUML code``` @startuml actor User as user participant Agent as agentbox "Server" box "Indexer" #LightBlue == Remove agent == user -> agent++ : remove {user, password}
|
Status for the complete list of endpoints for 5.0
|
Conclusion
|
Description
We intend to replace the current agent registration system as part of #22677. The new system should rely on the Wazuh indexer to perform this task, thus getting rid of the current plain text registry keys (
client.keys
). Since all agent information will be stored in the indexer,global.db
will also disappear. AllServer management API
endpoints that useglobal.db
must be reviewed.The registration information should now be stored in an index, which will be populated by the
Server management API
and later queried by theAgent comms API
service during agent connection.The
Server management API
should take care of:This spike is a research issue to identify what components and endpoints will be affected by the changes, and how.
Implementation restrictions
UUID v7
.Plan
The text was updated successfully, but these errors were encountered: