-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MD5 check must be replaced by SHA512 #1001
Comments
Update ReportContextTo solve this issue, some requirements have been satisfied:
DevelopmentVariablesSome new variables have been added to perform this issue, regarding the third task of the issue:
wazuh_winagent_sha512_url: "https://packages.wazuh.com/4.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/pre-release/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512" New tasksNew tasks have been added to the - name: Windows | Download SHA512 checksum file
win_get_url:
url: "{{ wazuh_winagent_sha512_url }}"
dest: "{{ wazuh_winagent_config.download_dir }}"
when:
- wazuh_winagent_config.check_sha512
- name: Extract checksum from SHA512 file
win_shell: Get-Content "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" | ForEach-Object { $_.Split(' ')[0] }
register: extracted_checksum
when:
- wazuh_winagent_config.check_sha512
- name: Windows | Verify the Wazuh Agent installer
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
get_checksum: true
checksum_algorithm: sha512
register: wazuh_agent_status
failed_when:
- wazuh_agent_status.stat.checksum != extracted_checksum.stdout_lines[0]
when:
- wazuh_winagent_config.check_sha512 Testing🟢 Deploy verifying the checksumTASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] **************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72068973}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] *******************************
ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] *******************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] ***
ok: [192.168.57.131] => {"changed": false, "stat": {"exists": false}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] *********************
changed: [192.168.57.131] => {"changed": true, "checksum_dest": "c8704688ca498b89406059f768c4a8e409de8171", "checksum_src": "c8704688ca498b89406059f768c4a8e409de8171", "dest": "C:\\wazuh-agent-4.5.1-1.msi", "elapsed": 2.6703264, "msg": "OK", "size": 6328320, "status_code": 200, "url": "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.5.1-1.msi"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ********************
changed: [192.168.57.131] => {"changed": true, "checksum_dest": "d9f668e6d04891d86e56d1e46af2f71f3177604a", "checksum_src": "d9f668e6d04891d86e56d1e46af2f71f3177604a", "dest": "C:\\wazuh-agent-4.5.1-1.msi.sha512", "elapsed": 0.0937988, "msg": "OK", "size": 154, "status_code": 200, "url": "https://packages.wazuh.com/4.x/checksums/wazuh/4.5.1/wazuh-agent-4.5.1-1.msi.sha512"}
TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] **************************
changed: [192.168.57.131] => {"changed": true, "cmd": "Get-Content \"C:\\wazuh-agent-4.5.1-1.msi.sha512\" | ForEach-Object { $_.Split(' ')[0] }", "delta": "0:00:00.219201", "end": "2023-08-31 12:38:37.344512", "rc": 0, "start": "2023-08-31 12:38:37.125310", "stderr": "", "stderr_lines": [], "stdout": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9\r\n", "stdout_lines": ["3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9"]}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] *****************
ok: [192.168.57.131] => {"changed": false, "failed_when_result": false, "stat": {"attributes": "Archive", "checksum": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9", "creationtime": 1693485515.126237, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485515.126237, "lastwritetime": 1693485515.110616, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Install Agent if not already installed] ***********
ok: [192.168.57.131] => {"changed": false, "rc": 0, "reboot_required": false}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if client.keys exists] **********************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "creationtime": 1693480156.1874695, "exists": true, "extension": ".keys", "filename": "client.keys", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693480156.1874695, "lastwritetime": 1693480156.1874695, "nlink": 1, "owner": "NT AUTHORITY\\SYSTEM", "path": "C:\\Program Files (x86)\\ossec-agent\\client.keys", "size": 0}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Register agent] ***********************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if ossec folder is accessible] **************
ok: [192.168.57.131] => {"changed": false}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing agent configuration (ossec.conf)] ******
ok: [192.168.57.131] => {"changed": false, "checksum": "1fa633eb3b630a2f91de7e52acedaa87973c6c9a"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing local_internal_options.conf] ***********
ok: [192.168.57.131] => {"changed": false, "checksum": "0836cd8eb65da2b28a8ce0256089c16a96b539f7"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded Wazuh agent installer file] *****
changed: [192.168.57.131] => {"changed": true}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded checksum file] ******************
changed: [192.168.57.131] => {"changed": true}
TASK [../roles/wazuh/ansible-wazuh-agent : include_tasks] **********************************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
PLAY RECAP *********************************************************************************************
192.168.57.131 : ok=19 changed=5 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0 🟢 Deploy without verifying the checksumTASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] **************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72069355}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] *******************************
ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] *******************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] ***
ok: [192.168.57.131] => {"changed": false, "stat": {"exists": false}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] *********************
changed: [192.168.57.131] => {"changed": true, "checksum_dest": "c8704688ca498b89406059f768c4a8e409de8171", "checksum_src": "c8704688ca498b89406059f768c4a8e409de8171", "dest": "C:\\wazuh-agent-4.5.1-1.msi", "elapsed": 2.21794, "msg": "OK", "size": 6328320, "status_code": 200, "url": "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.5.1-1.msi"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ********************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] **************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] *****************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Install Agent if not already installed] ***********
ok: [192.168.57.131] => {"changed": false, "rc": 0, "reboot_required": false}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if client.keys exists] **********************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "creationtime": 1693480156.1874695, "exists": true, "extension": ".keys", "filename": "client.keys", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693480156.1874695, "lastwritetime": 1693480156.1874695, "nlink": 1, "owner": "NT AUTHORITY\\SYSTEM", "path": "C:\\Program Files (x86)\\ossec-agent\\client.keys", "size": 0}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Register agent] ***********************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if ossec folder is accessible] **************
ok: [192.168.57.131] => {"changed": false}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing agent configuration (ossec.conf)] ******
ok: [192.168.57.131] => {"changed": false, "checksum": "1fa633eb3b630a2f91de7e52acedaa87973c6c9a"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing local_internal_options.conf] ***********
ok: [192.168.57.131] => {"changed": false, "checksum": "0836cd8eb65da2b28a8ce0256089c16a96b539f7"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded Wazuh agent installer file] *****
changed: [192.168.57.131] => {"changed": true}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded checksum file] ******************
ok: [192.168.57.131] => {"changed": false}
TASK [../roles/wazuh/ansible-wazuh-agent : include_tasks] **********************************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
PLAY RECAP *********************************************************************************************
192.168.57.131 : ok=16 changed=2 unreachable=0 failed=0 skipped=8 rescued=0 ignored=0 🟢 Deploy verifying the wrong checksum (hardcoded)TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] **************
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72070883}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] *******************************
ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] *******************************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] ***
ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "c8704688ca498b89406059f768c4a8e409de8171", "creationtime": 1693485874.5439076, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485891.9662046, "lastwritetime": 1693485891.9316914, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] *********************
skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ********************
ok: [192.168.57.131] => {"changed": false, "checksum_dest": "cd9799cc40f1f290c92e3856c7531628670e026d", "checksum_src": "cd9799cc40f1f290c92e3856c7531628670e026d", "dest": "C:\\wazuh-agent-4.5.0-1.msi.sha512", "elapsed": 0.1406826, "msg": "OK", "size": 154, "status_code": 200, "url": "https://packages.wazuh.com/4.x/checksums/wazuh/4.5.0/wazuh-agent-4.5.0-1.msi.sha512"}
TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] **************************
changed: [192.168.57.131] => {"changed": true, "cmd": "Get-Content \"C:\\wazuh-agent-4.5.0-1.msi.sha512\" | ForEach-Object { $_.Split(' ')[0] }", "delta": "0:00:00.202862", "end": "2023-08-31 12:48:44.654477", "rc": 0, "start": "2023-08-31 12:48:44.451614", "stderr": "", "stderr_lines": [], "stdout": "94179e1bf54ca607aeb71087acd5166519503e148dc20a597c28249b0e4aa2d150f2bb3cca0653591b0fe7e1d061f0ef9e3baed965edae2df93059fd4ac27915\r\n", "stdout_lines": ["94179e1bf54ca607aeb71087acd5166519503e148dc20a597c28249b0e4aa2d150f2bb3cca0653591b0fe7e1d061f0ef9e3baed965edae2df93059fd4ac27915"]}
TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] *****************
fatal: [192.168.57.131]: FAILED! => {"changed": false, "failed_when_result": true, "stat": {"attributes": "Archive", "checksum": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9", "creationtime": 1693485874.5439076, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485891.9662046, "lastwritetime": 1693485891.9316914, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}}
PLAY RECAP *********************************************************************************************
192.168.57.131 : ok=10 changed=1 unreachable=0 failed=1 skipped=4 rescued=0 ignored=0 |
Is necessary to close https://github.com/wazuh/wazuh-automation/issues/1266 to close this issue. |
Description
Currently, the Windows agent deployment provides a MD5 check. To update the MD5 checksum we need the package. This causes delays in the
wazuh-ansible
tag because we need to update it with the correct value and is error-prone.To avoid this, we need to change the MD5 with the SHA512 that is available in the
packages.wazuh.com
andpackages-dev.wazuh.com
depending on the repo used to install the package. e.g.:And perform the check using that file.
Tasks
check_md5
andmd5
variables and its related Ansible tasks.check_sha512
(boolean, default: true) in theroles/wazuh/ansible-wazuh-agent/defaults/main.yml
file.roles/wazuh/vars/repo.yml
androles/wazuh/vars/repo_pre-release.yml
files.Validation
The text was updated successfully, but these errors were encountered: