wazuh / wazuh-dashboard-plugins

Plugins for Wazuh Dashboard
https://wazuh.com/
GNU General Public License v2.0
432 stars 177 forks source link

Agent installation instructions - the command to install windows might not work #4085

Closed gdiazlo closed 2 years ago

gdiazlo commented 2 years ago
Wazuh Elastic Rev Security
4.x 7.x 4xxx -

Description The command to install an agent displayed by the UI step-by-step guide is:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile wazuh-agent-4.3.0.msi; ./wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='10.0.0.241' WAZUH_REGISTRATION_SERVER='10.0.0.241'

This command, if executed in a powershell in c:\windows\system32 even with administrator privileges, does not work. This seems to be a common scenario.

image

This command works correctly if it is executed from the user $home directory. We can modify this command by:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.6-1.msi -OutFile "$home\wazuh-agent-4.2.6.msi"; Invoke-Expression "$home\wazuh-agent-4.2.6.msi /q WAZUH_MANAGER='wazuh' WAZUH_REGISTRATION_SERVER='wazuh'"

which will use the user $home folder regardless of where it is executed to solve this. But this approach will assume the user $home is defined and writable. Which most of the time should be true.

We should agree with the @wazuh/cicd team and @wazuh/core on this.

gdiazlo commented 2 years ago

We need to update @wazuh/content to reflect the change in the documentation.

santiago-bassett commented 2 years ago

Do we want to use $home? What are other vendors doing?

okynos commented 2 years ago

Hello team,

I have done a research about this problem. We got the following facts:

Here we have got different traces of working and error installation. working-trace.txt error-trace.txt

Recommended command (tested) to set into the Wazuh app:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile C:\wazuh-agent-4.3.0.msi; C:\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'; rm C:\wazuh-agent-4.3.0.msi

I don't recommend the use of $home variable that it could lack in Windows XP or another versions.

Comparison with Chocolatey install:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
okynos commented 2 years ago

Vendors installation

Vendor Install command Ref Notes
CrowdStrike/Falcon msiexec.exe /i CrowdStrikeInstaller.msi CID=123456qweasdzxc REF It lacks of download strategy.
LogRythm LRSystemMonitor.exe /S /v/qn REF It lacks of download strategy.
SumoLogic SumoCollector.exe -console -q "-Vsumo.accessid=<accessId>" "-Vsumo.accesskey=<accessKey>" "-Vsources=<filepath>" REF It lacks of download strategy.
Datadog start /wait msiexec /qn /i datadog-agent-7-latest.amd64.msi APIKEY="XXX" SITE="datadoghq.eu" Or Start-Process -Wait msiexec -ArgumentList '/qn /i datadog-agent-7-latest.amd64.msi APIKEY="XXX" SITE="datadoghq.eu"' REF in cloud app It lacks of download strategy.
TrendMicro AcAgentSetup_x86.exe ServerHost=https://10.10.10.42:4343 REF It lacks of download strategy.
AtomiCorp Invoke-WebRequest http://<hub_ip>/installers/agent_deployV2.ps1 -Outfile .\agent_deployV2.ps1 REF ⚠️ The only one that include a download strategy, probably it will fail like our command.
Splunk msiexec.exe /I Splunk.msi SPLUNKUSERNAME=SplunkAdmin SPLUNKPASSWORD=MyNewPassword /quiet REF It lacks of download strategy.
FleetDM No command REF It is a deploy tool that manage installation
Osquery No MSI, No command REF Build MSI file and install as usual.
Tanium SetupClient.exe /ServerAddress={<FQDN/IPaddress>}[,{<FQDN/IPaddress>},...] [/ServerPort=<PortNumber>] [/LogVerbosityLevel=<LogLevel>] [/KeyPath=<FullPath>\[tanium‑init.dat/tanium.pub] [/ReportingTLSMode=[0/1/2]] [/ProxyAutoConfigAddress=<URL/filename.pac>] [/ProxyServers=<FQDN/IPaddress:PortNumber>] [/S] [/D=<DirectoryPath>] REF It lacks of download strategy.
SentinelOne "C:\Users\usr\AppData\Local\Temp\SentinelInstaller.msi" /q /norestart UI=false SITE_TOKEN="51te70k3n" REF It lacks of download strategy.
Carbonblack msiexec /qn /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1 REF It lacks of download strategy.
Kubernetes No Command REF Download the EXE and add it to the path.
Docker REF It lacks of download strategy.
Grafana No command REF It lacks of download strategy.
Elastic No MSI, No command REF Elastic provide ZIPs instead of MSIs, you have to download the ZIP uncompress and install in program files folder.
TripWire <installer_file> INSTALLDIR=<target_binary_installation_dir> REF It lacks of download strategy.

Windows environment variables

Suggested vars:

Reference -> https://en.wikipedia.org/wiki/Environment_variable#Microsoft_Windows

Suggested command

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.0.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'

⚠️ Take a look at AtomiCorp case ⚠️

snaow commented 2 years ago

In progress. @wazuh/qa testing.

Machi3mfl commented 2 years ago

Solution screenshot

Splunk

image

jmv74211 commented 2 years ago

After the review of this issue https://github.com/wazuh/wazuh-qa/issues/2855, it was determined that the command worked correctly, with the exception of a particular version of Windows 7.

Further investigation was performed at https://github.com/wazuh/wazuh-qa/issues/2869, and it was concluded that the Invoke-WebRequest command was added as of powershell v3 (see This cmdlet was introduced in PowerShell 3.0.)

After installing Windows 7 Service Pack 1 and Service Pack 2, it has been possible to upgrade the powershell version from 2.0 to 5.1, and it has been verified that the command now works correctly.

@fedepacher has yet to check that the command works correctly for powershell v3.0.

In case it works correctly with this version (it should), it is proposed to add a message that PowerShell v3 or higher is required for Windows.

AlexRuiz7 commented 2 years ago

PR for Splunk: https://github.com/wazuh/wazuh-splunk/pull/1315

Desvelao commented 2 years ago

Changes

We added the requirement of PowerShell 3.0 or later in these PRs:

jmv74211 commented 2 years ago

After the tests performed by @fedepacher here, we can conclude that on Windows the command:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.0.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'

works for powershell versions >= 3.0