Closed gdiazlo closed 2 years ago
We need to update @wazuh/content to reflect the change in the documentation.
Do we want to use $home? What are other vendors doing?
Hello team,
I have done a research about this problem. We got the following facts:
vagrant
has C:\Windows\System32
. Administrator has C:\Users\Administrator
vagrant
user can't see any new file in System32 folder so it cannot see the MSI.Administrator
user cannot see the files downloaded into System32 but it can execute them.vagrant
user, that doesn't allow such user to launch the installer.Here we have got different traces of working and error installation. working-trace.txt error-trace.txt
Recommended command (tested) to set into the Wazuh app:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile C:\wazuh-agent-4.3.0.msi; C:\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'; rm C:\wazuh-agent-4.3.0.msi
I don't recommend the use of $home
variable that it could lack in Windows XP or another versions.
Comparison with Chocolatey install:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Vendor | Install command | Ref | Notes |
---|---|---|---|
CrowdStrike/Falcon | msiexec.exe /i CrowdStrikeInstaller.msi CID=123456qweasdzxc |
REF | It lacks of download strategy. |
LogRythm | LRSystemMonitor.exe /S /v/qn |
REF | It lacks of download strategy. |
SumoLogic | SumoCollector.exe -console -q "-Vsumo.accessid=<accessId>" "-Vsumo.accesskey=<accessKey>" "-Vsources=<filepath>" |
REF | It lacks of download strategy. |
Datadog | start /wait msiexec /qn /i datadog-agent-7-latest.amd64.msi APIKEY="XXX" SITE="datadoghq.eu" Or Start-Process -Wait msiexec -ArgumentList '/qn /i datadog-agent-7-latest.amd64.msi APIKEY="XXX" SITE="datadoghq.eu"' |
REF in cloud app | It lacks of download strategy. |
TrendMicro | AcAgentSetup_x86.exe ServerHost=https://10.10.10.42:4343 |
REF | It lacks of download strategy. |
AtomiCorp | Invoke-WebRequest http://<hub_ip>/installers/agent_deployV2.ps1 -Outfile .\agent_deployV2.ps1 |
REF | ⚠️ The only one that include a download strategy, probably it will fail like our command. |
Splunk | msiexec.exe /I Splunk.msi SPLUNKUSERNAME=SplunkAdmin SPLUNKPASSWORD=MyNewPassword /quiet |
REF | It lacks of download strategy. |
FleetDM | No command | REF | It is a deploy tool that manage installation |
Osquery | No MSI, No command | REF | Build MSI file and install as usual. |
Tanium | SetupClient.exe /ServerAddress={<FQDN/IPaddress>}[,{<FQDN/IPaddress>},...] [/ServerPort=<PortNumber>] [/LogVerbosityLevel=<LogLevel>] [/KeyPath=<FullPath>\[tanium‑init.dat/tanium.pub] [/ReportingTLSMode=[0/1/2]] [/ProxyAutoConfigAddress=<URL/filename.pac>] [/ProxyServers=<FQDN/IPaddress:PortNumber>] [/S] [/D=<DirectoryPath>] |
REF | It lacks of download strategy. |
SentinelOne | "C:\Users\usr\AppData\Local\Temp\SentinelInstaller.msi" /q /norestart UI=false SITE_TOKEN="51te70k3n" |
REF | It lacks of download strategy. |
Carbonblack | msiexec /qn /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1 |
REF | It lacks of download strategy. |
Kubernetes | No Command | REF | Download the EXE and add it to the path. |
Docker | REF | It lacks of download strategy. | |
Grafana | No command | REF | It lacks of download strategy. |
Elastic | No MSI, No command | REF | Elastic provide ZIPs instead of MSIs, you have to download the ZIP uncompress and install in program files folder. |
TripWire | <installer_file> INSTALLDIR=<target_binary_installation_dir> |
REF | It lacks of download strategy. |
Suggested vars:
%SystemDrive%
CMD, PoweShell $env:systemdrive
%APPDATA%
CMD, PowerShell $env:appdata
%HOMEDRIVE%
CMD, PowerShell $env:homedrive
%HOMEPATH%
CMD, PowerShell $env:homepath
%ProgramFiles%
CMD, PowerShell $env:programfiles
%TEMP%
/%TMP%
CMD, PowerShell $env:temp
%USERPROFILE%
CMD, PowerShell $env:userprofile
Reference -> https://en.wikipedia.org/wiki/Environment_variable#Microsoft_Windows
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.0.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'
⚠️ Take a look at AtomiCorp case ⚠️
In progress. @wazuh/qa testing.
After the review of this issue https://github.com/wazuh/wazuh-qa/issues/2855, it was determined that the command worked correctly, with the exception of a particular version of Windows 7.
Further investigation was performed at https://github.com/wazuh/wazuh-qa/issues/2869, and it was concluded that the Invoke-WebRequest
command was added as of powershell v3 (see This cmdlet was introduced in PowerShell 3.0.)
After installing Windows 7 Service Pack 1 and Service Pack 2, it has been possible to upgrade the powershell version from 2.0
to 5.1
, and it has been verified that the command now works correctly.
@fedepacher has yet to check that the command works correctly for powershell v3.0.
In case it works correctly with this version (it should), it is proposed to add a message that PowerShell v3 or higher is required for Windows.
PR for Splunk: https://github.com/wazuh/wazuh-splunk/pull/1315
We added the requirement of PowerShell 3.0 or later in these PRs:
After the tests performed by @fedepacher here, we can conclude that on Windows the command:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.0.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'
works for powershell versions >= 3.0
Description The command to install an agent displayed by the UI step-by-step guide is:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile wazuh-agent-4.3.0.msi; ./wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='10.0.0.241' WAZUH_REGISTRATION_SERVER='10.0.0.241'
This command, if executed in a powershell in c:\windows\system32 even with administrator privileges, does not work. This seems to be a common scenario.
This command works correctly if it is executed from the user
$home
directory. We can modify this command by:Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.6-1.msi -OutFile "$home\wazuh-agent-4.2.6.msi"; Invoke-Expression "$home\wazuh-agent-4.2.6.msi /q WAZUH_MANAGER='wazuh' WAZUH_REGISTRATION_SERVER='wazuh'"
which will use the user
$home
folder regardless of where it is executed to solve this. But this approach will assume the user $home is defined and writable. Which most of the time should be true.We should agree with the @wazuh/cicd team and @wazuh/core on this.