wazuh / wazuh-ansible

Wazuh - Ansible playbook
https://wazuh.com
Other
292 stars 190 forks source link

MD5 check must be replaced by SHA512 #1001

Closed teddytpc1 closed 1 year ago

teddytpc1 commented 1 year ago

Description

Currently, the Windows agent deployment provides a MD5 check. To update the MD5 checksum we need the package. This causes delays in the wazuh-ansible tag because we need to update it with the correct value and is error-prone.

To avoid this, we need to change the MD5 with the SHA512 that is available in the packages.wazuh.com and packages-dev.wazuh.com depending on the repo used to install the package. e.g.:

And perform the check using that file.

Tasks

Validation

davidcr01 commented 1 year ago

Update Report

Context

To solve this issue, some requirements have been satisfied:

[windows:vars] ansible_user=vagrant ansible_password=vagrant ansible_connection=winrm ansible_winrm_server_cert_validation=ignore ansible_ssh_port=5986

- Downloaded the [WinRM configuration script](https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1) and executed in the Windows system.

## Development

### Variables

Some new variables have been added to perform this issue, regarding the third task of the issue:
- In `roles/wazuh/vars/repo.yml`:
```yaml
wazuh_winagent_sha512_url: "https://packages.wazuh.com/4.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"

New tasks

New tasks have been added to the Windows.yml file. These tasks replace the MD5 verification with the SHA512 verification. Now, the checksum is not hardcoded, but obtained by a downloaded file.

- name: Windows | Download SHA512 checksum file
  win_get_url:
    url: "{{ wazuh_winagent_sha512_url }}"
    dest: "{{ wazuh_winagent_config.download_dir }}"
  when:
    - wazuh_winagent_config.check_sha512

- name: Extract checksum from SHA512 file
  win_shell: Get-Content "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" | ForEach-Object { $_.Split(' ')[0] }
  register: extracted_checksum
  when:
    - wazuh_winagent_config.check_sha512

- name: Windows | Verify the Wazuh Agent installer
  win_stat:
    path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
    get_checksum: true
    checksum_algorithm: sha512
  register: wazuh_agent_status
  failed_when:
    - wazuh_agent_status.stat.checksum != extracted_checksum.stdout_lines[0]
  when:
    - wazuh_winagent_config.check_sha512

Testing

:green_circle: Deploy verifying the checksum ```console TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] ************** ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72068973}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] ******************************* ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] ******************************* skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] *** ok: [192.168.57.131] => {"changed": false, "stat": {"exists": false}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] ********************* changed: [192.168.57.131] => {"changed": true, "checksum_dest": "c8704688ca498b89406059f768c4a8e409de8171", "checksum_src": "c8704688ca498b89406059f768c4a8e409de8171", "dest": "C:\\wazuh-agent-4.5.1-1.msi", "elapsed": 2.6703264, "msg": "OK", "size": 6328320, "status_code": 200, "url": "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.5.1-1.msi"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ******************** changed: [192.168.57.131] => {"changed": true, "checksum_dest": "d9f668e6d04891d86e56d1e46af2f71f3177604a", "checksum_src": "d9f668e6d04891d86e56d1e46af2f71f3177604a", "dest": "C:\\wazuh-agent-4.5.1-1.msi.sha512", "elapsed": 0.0937988, "msg": "OK", "size": 154, "status_code": 200, "url": "https://packages.wazuh.com/4.x/checksums/wazuh/4.5.1/wazuh-agent-4.5.1-1.msi.sha512"} TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] ************************** changed: [192.168.57.131] => {"changed": true, "cmd": "Get-Content \"C:\\wazuh-agent-4.5.1-1.msi.sha512\" | ForEach-Object { $_.Split(' ')[0] }", "delta": "0:00:00.219201", "end": "2023-08-31 12:38:37.344512", "rc": 0, "start": "2023-08-31 12:38:37.125310", "stderr": "", "stderr_lines": [], "stdout": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9\r\n", "stdout_lines": ["3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9"]} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] ***************** ok: [192.168.57.131] => {"changed": false, "failed_when_result": false, "stat": {"attributes": "Archive", "checksum": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9", "creationtime": 1693485515.126237, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485515.126237, "lastwritetime": 1693485515.110616, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Install Agent if not already installed] *********** ok: [192.168.57.131] => {"changed": false, "rc": 0, "reboot_required": false} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if client.keys exists] ********************** ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "creationtime": 1693480156.1874695, "exists": true, "extension": ".keys", "filename": "client.keys", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693480156.1874695, "lastwritetime": 1693480156.1874695, "nlink": 1, "owner": "NT AUTHORITY\\SYSTEM", "path": "C:\\Program Files (x86)\\ossec-agent\\client.keys", "size": 0}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Register agent] *********************************** skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if ossec folder is accessible] ************** ok: [192.168.57.131] => {"changed": false} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing agent configuration (ossec.conf)] ****** ok: [192.168.57.131] => {"changed": false, "checksum": "1fa633eb3b630a2f91de7e52acedaa87973c6c9a"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing local_internal_options.conf] *********** ok: [192.168.57.131] => {"changed": false, "checksum": "0836cd8eb65da2b28a8ce0256089c16a96b539f7"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded Wazuh agent installer file] ***** changed: [192.168.57.131] => {"changed": true} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded checksum file] ****************** changed: [192.168.57.131] => {"changed": true} TASK [../roles/wazuh/ansible-wazuh-agent : include_tasks] ********************************************** skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} PLAY RECAP ********************************************************************************************* 192.168.57.131 : ok=19 changed=5 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0 ```
:green_circle: Deploy without verifying the checksum ```console TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] ************** ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72069355}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] ******************************* ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] ******************************* skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] *** ok: [192.168.57.131] => {"changed": false, "stat": {"exists": false}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] ********************* changed: [192.168.57.131] => {"changed": true, "checksum_dest": "c8704688ca498b89406059f768c4a8e409de8171", "checksum_src": "c8704688ca498b89406059f768c4a8e409de8171", "dest": "C:\\wazuh-agent-4.5.1-1.msi", "elapsed": 2.21794, "msg": "OK", "size": 6328320, "status_code": 200, "url": "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.5.1-1.msi"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ******************** skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] ************************** skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] ***************** skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Install Agent if not already installed] *********** ok: [192.168.57.131] => {"changed": false, "rc": 0, "reboot_required": false} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if client.keys exists] ********************** ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "creationtime": 1693480156.1874695, "exists": true, "extension": ".keys", "filename": "client.keys", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693480156.1874695, "lastwritetime": 1693480156.1874695, "nlink": 1, "owner": "NT AUTHORITY\\SYSTEM", "path": "C:\\Program Files (x86)\\ossec-agent\\client.keys", "size": 0}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Register agent] *********************************** skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if ossec folder is accessible] ************** ok: [192.168.57.131] => {"changed": false} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing agent configuration (ossec.conf)] ****** ok: [192.168.57.131] => {"changed": false, "checksum": "1fa633eb3b630a2f91de7e52acedaa87973c6c9a"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Installing local_internal_options.conf] *********** ok: [192.168.57.131] => {"changed": false, "checksum": "0836cd8eb65da2b28a8ce0256089c16a96b539f7"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded Wazuh agent installer file] ***** changed: [192.168.57.131] => {"changed": true} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Delete downloaded checksum file] ****************** ok: [192.168.57.131] => {"changed": false} TASK [../roles/wazuh/ansible-wazuh-agent : include_tasks] ********************************************** skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} PLAY RECAP ********************************************************************************************* 192.168.57.131 : ok=16 changed=2 unreachable=0 failed=0 skipped=8 rescued=0 ignored=0 ```
:green_circle: Deploy verifying the wrong checksum (hardcoded) ```console TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Program Files (x86) exists] ************** ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Directory", "creationtime": 1468649064.7707448, "exists": true, "filename": "Program Files (x86)", "hlnk_targets": [], "isarchive": false, "isdir": true, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": false, "isshared": false, "lastaccesstime": 1693480155.859194, "lastwritetime": 1693480155.859194, "nlink": 1, "owner": "NT SERVICE\\TrustedInstaller", "path": "C:\\Program Files (x86)", "size": 72070883}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x86)] ******************************* ok: [192.168.57.131] => {"ansible_facts": {"wazuh_agent_win_auth_path": "C:\\'Program Files (x86)'\\ossec-agent\\agent-auth.exe", "wazuh_agent_win_path": "C:\\Program Files (x86)\\ossec-agent\\"}, "changed": false} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Set Win Path (x64)] ******************************* skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Check if Wazuh installer is already downloaded] *** ok: [192.168.57.131] => {"changed": false, "stat": {"attributes": "Archive", "checksum": "c8704688ca498b89406059f768c4a8e409de8171", "creationtime": 1693485874.5439076, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485891.9662046, "lastwritetime": 1693485891.9316914, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download Wazuh Agent package] ********************* skipping: [192.168.57.131] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Download SHA512 checksum file] ******************** ok: [192.168.57.131] => {"changed": false, "checksum_dest": "cd9799cc40f1f290c92e3856c7531628670e026d", "checksum_src": "cd9799cc40f1f290c92e3856c7531628670e026d", "dest": "C:\\wazuh-agent-4.5.0-1.msi.sha512", "elapsed": 0.1406826, "msg": "OK", "size": 154, "status_code": 200, "url": "https://packages.wazuh.com/4.x/checksums/wazuh/4.5.0/wazuh-agent-4.5.0-1.msi.sha512"} TASK [../roles/wazuh/ansible-wazuh-agent : Extract checksum from SHA512 file] ************************** changed: [192.168.57.131] => {"changed": true, "cmd": "Get-Content \"C:\\wazuh-agent-4.5.0-1.msi.sha512\" | ForEach-Object { $_.Split(' ')[0] }", "delta": "0:00:00.202862", "end": "2023-08-31 12:48:44.654477", "rc": 0, "start": "2023-08-31 12:48:44.451614", "stderr": "", "stderr_lines": [], "stdout": "94179e1bf54ca607aeb71087acd5166519503e148dc20a597c28249b0e4aa2d150f2bb3cca0653591b0fe7e1d061f0ef9e3baed965edae2df93059fd4ac27915\r\n", "stdout_lines": ["94179e1bf54ca607aeb71087acd5166519503e148dc20a597c28249b0e4aa2d150f2bb3cca0653591b0fe7e1d061f0ef9e3baed965edae2df93059fd4ac27915"]} TASK [../roles/wazuh/ansible-wazuh-agent : Windows | Verify the Wazuh Agent installer] ***************** fatal: [192.168.57.131]: FAILED! => {"changed": false, "failed_when_result": true, "stat": {"attributes": "Archive", "checksum": "3e06872590aa9e300a80d236039673182a1180c9dd6ca17396ab4f5d819b4686d35006608ff1490170bcfa0a8fde9713a0782e1b63236c43e3160735a388c5f9", "creationtime": 1693485874.5439076, "exists": true, "extension": ".msi", "filename": "wazuh-agent-4.5.1-1.msi", "hlnk_targets": [], "isarchive": true, "isdir": false, "ishidden": false, "isjunction": false, "islnk": false, "isreadonly": false, "isreg": true, "isshared": false, "lastaccesstime": 1693485891.9662046, "lastwritetime": 1693485891.9316914, "nlink": 1, "owner": "BUILTIN\\Administrators", "path": "C:\\wazuh-agent-4.5.1-1.msi", "size": 6328320}} PLAY RECAP ********************************************************************************************* 192.168.57.131 : ok=10 changed=1 unreachable=0 failed=1 skipped=4 rescued=0 ignored=0 ```
davidcr01 commented 1 year ago

Is necessary to close https://github.com/wazuh/wazuh-automation/issues/1266 to close this issue.