Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix overwriting agents when 'force' is less than '0' #3527

Merged
merged 2 commits into from
Sep 16, 2019
Merged

Fix overwriting agents when 'force' is less than '0' #3527

merged 2 commits into from
Sep 16, 2019

Conversation

DaveVG1
Copy link
Contributor

@DaveVG1 DaveVG1 commented Jun 13, 2019

Related issue
#3526

Description

authd was overwriting an agent with the same IP when force was less than 0.
A case when this happens is making the following API call:

curl -u foo:bar -k -X POST -d curl -u foo:bar -k -X POST -d '{"name":"NewHost_4","ip":"10.0.10.16","id":"126","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"

Logs/Alerts example

This is what was happening before while making that API call:

curl -u foo:bar -k -X POST -d '{"name":"NewHost_4","ip":"10.0.10.16","id":"126","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64","force":"0"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "126",
      "key": "MTI2IE5ld0hvc3RfNCAxMC4wLjEwLjE2IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YTJjZGVmZ2hpNjQ="
   }
}

As it can be seen the process went well when it should say that the ID is duplicated. Also, it shouldn't overwrite the agent.

Tests

It's been checked that the agents with the same ID are not overwritten anymore making a call like the described above. Now the result is the following:

curl -u foo:bar -k -X POST -d '{"name":"NewHost_4","ip":"10.0.10.16","id":"126","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 9012,
   "message": "Duplicated ID"
}

@DaveVG1 DaveVG1 requested review from bah07 and druizz90 June 13, 2019 12:00
@druizz90 druizz90 mentioned this pull request Jun 13, 2019
Merged
@druizz90
Copy link
Contributor

Hi team,

Issue #3431 is solved with this PR. force parameter works as expected:

# curl -u foo:bar -k -X POST -d '{"name":"NewHost_4","ip":"10.0.10.14","id":"010","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64", "force": "0"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "010",
      "key": "MDEwIE5ld0hvc3RfNCAxMC4wLjEwLjE0IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpNjQ="
   }
}
# curl -u foo:bar -k -X POST -d '{"name":"NewHost_4","ip":"10.0.10.14","id":"010","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64", "force": "0"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "010",
      "key": "MDEwIE5ld0hvc3RfNCAxMC4wLjEwLjE0IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpNjQ="
   }
}

If force parameter is not present, agent cannot be added:

# curl -u foo:bar -k -X POST -d '{"name":"NewHost_4","ip":"10.0.10.14","id":"010","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 9012,
   "message": "Duplicated ID"
}

Best regards,

Demetrio.

@crd1985 crd1985 mentioned this pull request Jun 18, 2019
Closed
@bah07 bah07 self-assigned this Jun 19, 2019
bah07
bah07 suggested changes Jun 24, 2019
View reviewed changes
Copy link
Contributor

@bah07 bah07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the call is passed as force parameter with a positive integer, this option should, as described in the documentation, overwrite the agent entry if only if the agent's last keepalive was n seconds ago. Please check and fix it so that it will only be overwritten if this condition is met.

@druizz90 druizz90 mentioned this pull request Jul 15, 2019
Closed
@Lopuiz
Copy link
Contributor

Lopuiz commented Jul 18, 2019
edited
Loading

Hi team!

I have tested that an agent is overwritten if another agent with the same id is registered.
agent_control does not update the agent's state. This may be because no file is created in /queue/agent-info.
Next, I describe the different tests I have done.

Regards, Eva

Test

Modify agent IP

First I registered an agent:

lopezziur@lopezziur:~/wazuh$ curl -u foo:bar -k -X POST -d '{"name":"testing","ip":"10.0.0.10","id":"002","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "002",
      "key": "MDAyIHRlc3RpbmcgMTAuMC4wLjEwIDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YTJjZGVmZ2hpNjQ="
   }
}

Check cliente.keys:
002 testing 10.0.0.10 1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64
And agent_control

Wazuh agent_control. List of available agents:
   ID: 000, Name: lopezziur (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: testing, IP: 10.0.0.10, Never connected

I overwrite the agent with a different IP.

lopezziur@lopezziur:~/wazuh$ curl -u foo:bar -k -X POST -d '{"name":"testing","ip":"10.0.0.6","id":"002","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64","force":"0"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "002",
      "key": "MDAyIHRlc3RpbmcgMTAuMC4wLjYgMWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXphMmNkZWZnaGk2NA=="
   }
}

Check cliente.keys:
002 testing 10.0.0.6 1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64
And agent_control

Wazuh agent_control. List of available agents:
   ID: 000, Name: lopezziur (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: testing, IP: 10.0.0.6, Never connected

Connect agent to the manager by adding key

root@agent:/var/ossec# bin/manage_agents -i MDAyIHRlc3RpbmcgMTAuMC4wLjYgMWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXphMmNkZWZnaGk2NA==

Agent information:
   ID:002
   Name:testing
   IP Address:10.0.0.6

Confirm adding it?(y/n): y
Added.

Agent connects:

** Alert 1563387523.271822: mail  - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.3.1,nist_800_53_IA.10,
2019 Jul 17 20:18:43 (testing) 10.0.0.6->ossec
Rule: 503 (level 3) -> 'Ossec agent started.'
ossec: Agent started: 'testing->10.0.0.6'.

But agent_control is not updated:

Wazuh agent_control. List of available agents:
   ID: 000, Name: lopezziur (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: testing, IP: 10.0.0.6, Never connected

Overwrite the active agent's IP

lopezziur@lopezziur:~/wazuh$ curl -u foo:bar -k -X POST -d '{"name":"testing","ip":"10.0.0.10","id":"002","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64","force":"0"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "002",
      "key": "MDAyIHRlc3RpbmcgMTAuMC4wLjEwIDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YTJjZGVmZ2hpNjQ="
   }
}

As the agent is still in IP 10.0.0.6 we get the following messages in ossec.log

2019/07/17 20:25:58 ossec-remoted: INFO: (1409): Authentication file changed. Updating.
2019/07/17 20:25:58 ossec-remoted: INFO: (1410): Reading authentication keys file.
2019/07/17 20:25:59 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.
2019/07/17 20:26:00 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.
2019/07/17 20:26:01 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.
2019/07/17 20:26:02 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.
2019/07/17 20:26:03 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.
2019/07/17 20:26:04 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.
2019/07/17 20:26:05 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.
2019/07/17 20:26:06 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.
2019/07/17 20:26:06 ossec-remoted: WARNING: (1213): Message from '10.0.0.6' not allowed.

agent_control update IP:

Wazuh agent_control. List of available agents:
   ID: 000, Name: lopezziur (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: testing, IP: 10.0.0.10, Never connected

client.keys update IP:
002 testing 10.0.0.10 1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64

Modify name, IP and key

Register agent:

lopezziur@lopezziur:~/wazuh/wazuh-api$ curl -u foo:bar -k -X POST -d '{"name":"testing","ip":"10.0.0.10","id":"002","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "002",
      "key": "MDAyIHRlc3RpbmcgMTAuMC4wLjEwIDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YTJjZGVmZ2hpNjQ="
   }
}

Check client.keys

root@lopezziur:/var/ossec# cat etc/client.keys
002 testing 10.0.0.10 1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64

Overwrite agent:

lopezziur@lopezziur:~/wazuh/wazuh-api$ curl -u foo:bar -k -X POST -d '{"name":"testtin2","ip":"10.0.0.5","id":"002","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi90", "force":"0"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "002",
      "key": "MDAyIHRlc3R0aW4yIDEwLjAuMC41IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YTJjZGVmZ2hpOTA="
   }
}

And agent connects:

root@agent:/var/ossec# bin/manage_agents -i MDAyIHRlc3R0aW4yIDEwLjAuMC41IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YTJjZGVmZ2hpOTA=

Agent information:
   ID:002
   Name:testtin2
   IP Address:10.0.0.5

Confirm adding it?(y/n): y
Added.

agent_control updates name and ip but not state:

Wazuh agent_control. List of available agents:
   ID: 000, Name: lopezziur (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: testtin2, IP: 10.0.0.5, Never connected

But agent is connected:

** Alert 1563447054.163489: mail  - ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,
2019 Jul 18 12:50:54 (testtin2) 10.0.0.5->ossec
Rule: 501 (level 3) -> 'New ossec agent connected.'
ossec: Agent started: 'testtin2->10.0.0.5'.

Overwrite without force option doesn't work

There's a registered agent:
002 testtin2 10.0.0.5 1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi90

I try to overwrite agent without force options:

lopezziur@lopezziur:~/wazuh/wazuh-api$ curl -u foo:bar -k -X POST -d '{"name":"testing","ip":"10.0.0.10","id":"002","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 9012,
   "message": "Duplicated ID"
}

But agent is not overwrite:
002 testtin2 10.0.0.5 1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi90

It works

  • File client.keys update
  • agent_control updates name and ip
  • agent_control updates state
  • Events is recived
  • Messages not allowed if changed IP
  • Overwrite agent With diferents keys
  • Overwrite without force option doesn't works

@Lopuiz
Copy link
Contributor

Lopuiz commented Jul 18, 2019
edited
Loading

PD:
If I overwrite agent active (with state active) agent_control update state correctly.

Test

My agent is active:

Wazuh agent_control. List of available agents:
   ID: 000, Name: lopezziur (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: testtin2, IP: 10.0.0.5, Never connected
   ID: 005, Name: testing, IP: 10.0.0.15, Active

Overwrite agent:

lopezziur@lopezziur:~$ curl -u foo:bar -k -X POST -d '{"name":"testing","ip":"10.0.0.16","id":"005","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyza2cdefghi64", "force":"2"}' -H 'Content-Type:application/json' "http://127.0.0.1:55000/agents/insert?pretty"
{
   "error": 0,
   "data": {
      "id": "005",
      "key": "MDA1IHRlc3RpbmcgMTAuMC4wLjE2IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YTJjZGVmZ2hpNjQ="
   }
}

And agent_control is updated:

Wazuh agent_control. List of available agents:
   ID: 000, Name: lopezziur (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: testtin2, IP: 10.0.0.5, Never connected
   ID: 005, Name: testing, IP: 10.0.0.16, Never connected

And ossec.log messages:

2019/07/18 13:42:30 ossec-remoted: INFO: (1409): Authentication file changed. Updating.
2019/07/18 13:42:30 ossec-remoted: INFO: (1410): Reading authentication keys file.
2019/07/18 13:42:30 ossec-remoted: WARNING: (1213): Message from '10.0.0.15' not allowed.
2019/07/18 13:42:31 ossec-remoted: WARNING: (1213): Message from '10.0.0.15' not allowed.
2019/07/18 13:42:32 ossec-remoted: WARNING: (1213): Message from '10.0.0.15' not allowed.
2019/07/18 13:42:33 ossec-remoted: WARNING: (1213): Message from '10.0.0.15' not allowed.
2019/07/18 13:42:34 ossec-remoted: WARNING: (1213): Message from '10.0.0.15' not allowed.

@druizz90 druizz90 mentioned this pull request Aug 26, 2019
Merged
@JuantAldea JuantAldea self-requested a review September 10, 2019 16:29
@chemamartinez chemamartinez changed the base branch from 3.10 to 3.11 September 16, 2019 14:45
@chemamartinez chemamartinez merged commit 218291e into 3.11 Sep 16, 2019
@chemamartinez chemamartinez deleted the fix-authd-duplicated-id-3526 branch September 16, 2019 14:46
@chemamartinez chemamartinez mentioned this pull request Sep 16, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JuantAldea JuantAldea JuantAldea approved these changes

@bah07 bah07 bah07 approved these changes

@chemamartinez chemamartinez chemamartinez approved these changes

@druizz90 druizz90 druizz90 approved these changes

@JcabreraC JcabreraC Awaiting requested review from JcabreraC

Assignees

@bah07 bah07

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@DaveVG1 @druizz90 @Lopuiz @JuantAldea @bah07 @chemamartinez