Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MD5 check must be replaced by SHA512 #1001

Closed
7 tasks done
teddytpc1 opened this issue Aug 24, 2023 · 2 comments · Fixed by #1015
Closed
7 tasks done

MD5 check must be replaced by SHA512 #1001

teddytpc1 opened this issue Aug 24, 2023 · 2 comments · Fixed by #1015
Assignees
@davidcr01
Labels
level/task Subtask issue type/change Change requested

Comments

@teddytpc1
Copy link
Member

teddytpc1 commented Aug 24, 2023
edited by davidcr01
Loading

Description

Currently, the Windows agent deployment provides a MD5 check. To update the MD5 checksum we need the package. This causes delays in the wazuh-ansible tag because we need to update it with the correct value and is error-prone.

To avoid this, we need to change the MD5 with the SHA512 that is available in the packages.wazuh.com and packages-dev.wazuh.com depending on the repo used to install the package. e.g.:

And perform the check using that file.

Tasks

  • Remove the check_md5 and md5 variables and its related Ansible tasks.
  • Add the variable check_sha512 (boolean, default: true) in the roles/wazuh/ansible-wazuh-agent/defaults/main.yml file.
  • Add a variable with the SHA512 checksum URL in the roles/wazuh/vars/repo.yml and roles/wazuh/vars/repo_pre-release.yml files.
  • Add the needed tasks to verify the SHA512 checksum for the Windows agent installation.
  • wazuh/wazuh-automation#1266

Validation

  • Provide evidence of a successful installation of the Wazuh Windows agent verifying the SHA512 checksum.
  • Provide evidence of a successful installation of the Wazuh Windows agent without verifying the SHA512 checksum.
@teddytpc1 teddytpc1 added level/task Subtask issue type/change Change requested labels Aug 24, 2023
@davidcr01 davidcr01 self-assigned this Aug 30, 2023
@davidcr01 davidcr01 mentioned this issue Aug 30, 2023
Closed
3 tasks
@davidcr01
Copy link
Contributor

Update Report

Context

To solve this issue, some requirements have been satisfied:

  • Have a Windows agent. In my case, a Windows Server 2016 provided by vagrant.
  • Installed the pywinrm package in my machine.
  • Configured the Ansible hosts with the following content:
[windows]
<ip_address>

[windows:vars]
ansible_user=vagrant
ansible_password=vagrant
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_ssh_port=5986

Development

Variables

Some new variables have been added to perform this issue, regarding the third task of the issue:

  • In roles/wazuh/vars/repo.yml:
wazuh_winagent_sha512_url: "https://packages.wazuh.com/4.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
  • In roles/wazuh/vars/repo_pre-release.yml:
wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/pre-release/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"

New tasks

New tasks have been added to the Windows.yml file. These tasks replace the MD5 verification with the SHA512 verification. Now, the checksum is not hardcoded, but obtained by a downloaded file.

- name: Windows | Download SHA512 checksum file
  win_get_url:
    url: "{{ wazuh_winagent_sha512_url }}"
    dest: "{{ wazuh_winagent_config.download_dir }}"
  when:
    - wazuh_winagent_config.check_sha512
  
- name: Extract checksum from SHA512 file
  win_shell: Get-Content "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" | ForEach-Object { $_.Split(' ')[0] }
  register: extracted_checksum
  when:
    - wazuh_winagent_config.check_sha512

- name: Windows | Verify the Wazuh Agent installer
  win_stat:
    path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
    get_checksum: true
    checksum_algorithm: sha512
  register: wazuh_agent_status
  failed_when:
    - wazuh_agent_status.stat.checksum != extracted_checksum.stdout_lines[0]
  when:
    - wazuh_winagent_config.check_sha512

Testing

🟢 Deploy verifying the checksum 
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] **************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72068973}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] *******************************
ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] *******************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] ***
ok: [192.168.57.131] => {"changed": false, "stat": {"exists": false}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] *********************
changed: [192.168.57.131] => {"changed": true, "checksum_dest": "c8704688ca498b89406059f768c4a8e409de8171", "checksum_src": "c8704688ca498b89406059f768c4a8e409de8171", "dest": "C:\\wazuh-agent-4.5.1-1.msi", "elapsed": 2.6703264, "msg": "OK", "size": 6328320, "status_code": 200, "url": "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.5.1-1.msi"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ********************
changed: [192.168.57.131] => {"changed": true, "checksum_dest": "d9f668e6d04891d86e56d1e46af2f71f3177604a", "checksum_src": "d9f668e6d04891d86e56d1e46af2f71f3177604a", "dest": "C:\\wazuh-agent-4.5.1-1.msi.sha512", "elapsed": 0.0937988, "msg": "OK", "size": 154, "status_code": 200, "url": "https://packages.wazuh.com/4.x/checksums/wazuh/4.5.1/wazuh-agent-4.5.1-1.msi.sha512"}

TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] **************************
changed: [192.168.57.131] => {"changed": true, "cmd": "Get-Content \"C:\\wazuh-agent-4.5.1-1.msi.sha512\" | ForEach-Object { $_.Split(' ')[0] }", "delta": "0:00:00.219201", "end": "2023-08-31 12:38:37.344512", "rc": 0, "start": "2023-08-31 12:38:37.125310", "stderr": "", "stderr_lines": [], "stdout": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9\r\n", "stdout_lines": ["3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9"]}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] *****************
ok: [192.168.57.131] => {"changed": false, "failed_when_result": false, "stat": {"attributes": "Archive", "checksum": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9", "creationtime": 1693485515.126237, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485515.126237, "lastwritetime": 1693485515.110616, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Install Agent if not already installed] ***********
ok: [192.168.57.131] => {"changed": false, "rc": 0, "reboot_required": false}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if client.keys exists] **********************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "creationtime": 1693480156.1874695, "exists": true, "extension": ".keys", "filename": "client.keys", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693480156.1874695, "lastwritetime": 1693480156.1874695, "nlink": 1, "owner": "NT AUTHORITY\\SYSTEM", "path": "C:\\Program Files (x86)\\ossec-agent\\client.keys", "size": 0}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Register agent] ***********************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if ossec folder is accessible] **************
ok: [192.168.57.131] => {"changed": false}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing agent configuration (ossec.conf)] ******
ok: [192.168.57.131] => {"changed": false, "checksum": "1fa633eb3b630a2f91de7e52acedaa87973c6c9a"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing local_internal_options.conf] ***********
ok: [192.168.57.131] => {"changed": false, "checksum": "0836cd8eb65da2b28a8ce0256089c16a96b539f7"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded Wazuh agent installer file] *****
changed: [192.168.57.131] => {"changed": true}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded checksum file] ******************
changed: [192.168.57.131] => {"changed": true}

TASK [../roles/wazuh/ansible-wazuh-agent : include_tasks] **********************************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

PLAY RECAP *********************************************************************************************
192.168.57.131             : ok=19   changed=5    unreachable=0    failed=0    skipped=5    rescued=0    ignored=0
🟢 Deploy without verifying the checksum 
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] **************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72069355}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] *******************************
ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] *******************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] ***
ok: [192.168.57.131] => {"changed": false, "stat": {"exists": false}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] *********************
changed: [192.168.57.131] => {"changed": true, "checksum_dest": "c8704688ca498b89406059f768c4a8e409de8171", "checksum_src": "c8704688ca498b89406059f768c4a8e409de8171", "dest": "C:\\wazuh-agent-4.5.1-1.msi", "elapsed": 2.21794, "msg": "OK", "size": 6328320, "status_code": 200, "url": "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.5.1-1.msi"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ********************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] **************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] *****************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Install Agent if not already installed] ***********
ok: [192.168.57.131] => {"changed": false, "rc": 0, "reboot_required": false}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if client.keys exists] **********************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "creationtime": 1693480156.1874695, "exists": true, "extension": ".keys", "filename": "client.keys", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693480156.1874695, "lastwritetime": 1693480156.1874695, "nlink": 1, "owner": "NT AUTHORITY\\SYSTEM", "path": "C:\\Program Files (x86)\\ossec-agent\\client.keys", "size": 0}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Register agent] ***********************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if ossec folder is accessible] **************
ok: [192.168.57.131] => {"changed": false}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing agent configuration (ossec.conf)] ******
ok: [192.168.57.131] => {"changed": false, "checksum": "1fa633eb3b630a2f91de7e52acedaa87973c6c9a"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing local_internal_options.conf] ***********
ok: [192.168.57.131] => {"changed": false, "checksum": "0836cd8eb65da2b28a8ce0256089c16a96b539f7"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded Wazuh agent installer file] *****
changed: [192.168.57.131] => {"changed": true}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded checksum file] ******************
ok: [192.168.57.131] => {"changed": false}

TASK [../roles/wazuh/ansible-wazuh-agent : include_tasks] **********************************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

PLAY RECAP *********************************************************************************************
192.168.57.131             : ok=16   changed=2    unreachable=0    failed=0    skipped=8    rescued=0    ignored=0
🟢 Deploy verifying the wrong checksum (hardcoded) 
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] **************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72070883}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] *******************************
ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] *******************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] ***
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "c8704688ca498b89406059f768c4a8e409de8171", "creationtime": 1693485874.5439076, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485891.9662046, "lastwritetime": 1693485891.9316914, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] *********************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ********************
ok: [192.168.57.131] => {"changed": false, "checksum_dest": "cd9799cc40f1f290c92e3856c7531628670e026d", "checksum_src": "cd9799cc40f1f290c92e3856c7531628670e026d", "dest": "C:\\wazuh-agent-4.5.0-1.msi.sha512", "elapsed": 0.1406826, "msg": "OK", "size": 154, "status_code": 200, "url": "https://packages.wazuh.com/4.x/checksums/wazuh/4.5.0/wazuh-agent-4.5.0-1.msi.sha512"}

TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] **************************
changed: [192.168.57.131] => {"changed": true, "cmd": "Get-Content \"C:\\wazuh-agent-4.5.0-1.msi.sha512\" | ForEach-Object { $_.Split(' ')[0] }", "delta": "0:00:00.202862", "end": "2023-08-31 12:48:44.654477", "rc": 0, "start": "2023-08-31 12:48:44.451614", "stderr": "", "stderr_lines": [], "stdout": "94179e1bf54ca607aeb71087acd5166519503e148dc20a597c28249b0e4aa2d150f2bb3cca0653591b0fe7e1d061f0ef9e3baed965edae2df93059fd4ac27915\r\n", "stdout_lines": ["94179e1bf54ca607aeb71087acd5166519503e148dc20a597c28249b0e4aa2d150f2bb3cca0653591b0fe7e1d061f0ef9e3baed965edae2df93059fd4ac27915"]}

TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] *****************
fatal: [192.168.57.131]: FAILED! => {"changed": false, "failed_when_result": true, "stat": {"attributes": "Archive", "checksum": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9", "creationtime": 1693485874.5439076, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485891.9662046, "lastwritetime": 1693485891.9316914, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}}

PLAY RECAP *********************************************************************************************
192.168.57.131             : ok=10   changed=1    unreachable=0    failed=1    skipped=4    rescued=0    ignored=0

@davidcr01 davidcr01 mentioned this issue Aug 31, 2023
Merged
@davidcr01 davidcr01 linked a pull request Aug 31, 2023 that will close this issue
Changed Windows agent installation with SHA512 verification #1015
Merged
@davidcr01
Copy link
Contributor

Is necessary to close https://github.com/wazuh/wazuh-automation/issues/1266 to close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davidcr01 davidcr01

Labels
level/task Subtask issue type/change Change requested
Projects
No open projects
Release 4.5.3
Status: Done
Milestone
No milestone
2 participants
@teddytpc1 @davidcr01