Closed Dwordcito closed 1 year ago
Tester | PR commit |
---|---|
@fedepacher | https://github.com/wazuh/wazuh/pull/15404/commits/b5bcf3ec6f6edca7fe700dca207e0ec6f9bac2a0 |
OS | OS version | Deployment | Notes |
---|---|---|---|
Windows | XP | Vagrant box | dvgamerr/win-xp-sp3 |
Windows | Vista | Vagrant box | danimaetrix/windows-vista-sp2 |
Windows | 7 | Vagrant box | opensky/windows-7-professional-sp1-x64 |
Windows | 8 | Vagrant box | universalvishwa/windows-8-professional-x64 |
Windows | 2003 | ISO | Link |
Windows | 2008 | Vagrant box | jborean93/WindowsServer2008-x86 |
Windows | 2012 | AWS-EC2 | ami-03bca45832bdfb291 |
Windows | 2016 | AWS-EC2 | ami-0ce166ca1b447f229 |
Windows | 2019 | AWS-EC2 | ami-06371c9f2ad704460 |
Windows | 2022 | AWS-EC2 | ami-047e29beecff33db0 |
Windows | 10 | Vagrant box | gusztavvargadr/windows-10 |
Windows | 11 | Vagrant box | gusztavvargadr/windows-11 |
wazuh-manager |
wazuh-agent |
---|---|
deb | msi |
OS version | Upgrade | Fresh install | Verify Signature dbsync.dll after Upgrad |
Verify Signature dbsync.dll after Fresh install |
---|---|---|---|---|
XP | :red_circle: | :red_circle: | :black_circle: | :black_circle: |
Vista | :red_circle: | :green_circle: | :red_circle: | :green_circle: |
7 | :red_circle: | :green_circle: | :red_circle: | :green_circle: |
8 | :red_circle: | :yellow_circle: | :red_circle: | :green_circle: |
2003 | :red_circle: | :red_circle: | :black_circle: | :black_circle: |
2008 | :red_circle: | :green_circle: | :red_circle: | :green_circle: |
2012 | :red_circle: | :yellow_circle: | :red_circle: | :green_circle: |
2016 | :red_circle: | :green_circle: | :red_circle: | :green_circle: |
2019 | :red_circle: | :yellow_circle: | :red_circle: | :green_circle: |
2022 | :red_circle: | :yellow_circle: | :red_circle: | :green_circle: |
10 | :red_circle: | :green_circle: | :red_circle: | :green_circle: |
11 | :red_circle: | :green_circle: | :red_circle: | :green_circle: |
:black_circle: It could not verify the signature :red_circle: File not signed :green_circle: File signed
If the library dbsync.dll
is not signed, after the upgrade to the fix package, the dbsync.dll
still remains not signed.
Note: In the upgrade tab, the :red_circle: means that the agent has not started because the
dbsync.dll
has not been replaced (still unsigned) or in some cases the agent started even though thedbsync.dll
was modified.
Update - 24/11/2022
Perform proposed checks for WVista, W7, W2003, W8, W10 and W11
Hi @fedepacher !
Tough work here, kudos for that!
After checking the results, I have the next observations:
Can't load syscollector
message is unexpected and should not happen. This might indicate some problem that could lead to other errors. Could you please validate that this error does not happen after breaking dbsync with the echo?Stating has not started because the dbsync.dll has not been replaced (still unsigned)
is quite critical. This conclusion is based on wazuh agent saying so, but we are trying to validate this feature and it can contain a bug. The right way to validate this is
By the other hand, please double-check that after a fresh installation every exe and dll were signed. This will be step 0 to guarantee the other tests will be taken into account.
Next validation during testing will be really helpful (on wazuh agent install dir and with powershell)
Get-AuthenticodeSignature *.dll
Get-AuthenticodeSignature *.exe
Get-FileHash *.dll | Format-List
Get-FileHash *.exe | Format-List
I was not able to reproduce this case because the used MSI package was removed and could not execute its generation again. But using a signed v4.4 installer, I was able to
Upgrade from v4.3.10 to v4.4
Fresh install v4.4
Based on what we have been discussing with @jnasselle, we will perform a new test to validate the feature.
The previous test steps were:
echo 1 >> dbsync.dll
dll
has not been replacedFor this case, we have noticed that when a dll
file is modified, when the upgrade process is been carried out the modified files were not replaced by the new ones belonging to the new version.
As this seems to be a package bug the new test will be performed:
echo 1 >> dbsync.dll
Note: The new test will break the
dll
after upgrading package.
Note: In this second set of tests, it has just tested some Windows OS in order to verify that the feature works. As the feature failed It has decided to stop the manual testing and review the fix.
After the latest tests performed in https://github.com/wazuh/wazuh-qa/issues/3612#issuecomment-1327756942, it has been found that the new changes break Windows XP and that for example in Windows 8 the following error message is displayed:
wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101
Note: No progress has been made with testing of other OS's, because bugs have been reported and have to be fixed first.
This has been reported and the development team is trying to come up with a new partial approach to avoid these problems. Until such resolution, this issue remains blocked.
Tester | PR commit |
---|---|
@BelenValdivia | https://github.com/wazuh/wazuh/pull/15404/commits/bf4c69897083b90db4ebcfbcb84a3a2a42bafffb |
OS | OS version | Deployment | Notes |
---|---|---|---|
Windows | XP | Vagrant box | dvgamerr/win-xp-sp3 |
Windows | Vista | Vagrant box | danimaetrix/windows-vista-sp2 |
Windows | 7 | Vagrant box | opensky/windows-7-professional-sp1-x64 |
Windows | 8 | Vagrant box | universalvishwa/windows-8-professional-x64 |
Windows | 2003 | ISO | Link |
Windows | 2008 | Vagrant box | charris/windows-2008-r2-x64 |
Windows | 2012 | AWS EC-2 | ami-0a7732d66244fa923 |
Windows | 2016 | AWS EC-2 | ami-0ce166ca1b447f229 |
Windows | 2019 | AWS EC-2 | ami-0c4af4610ab22c4f4 |
Windows | 2022 | AWS EC-2 | ami-047e29beecff33db0 |
Windows | 10 | ISO | |
Windows | 11 | Vagrant box | gusztavvargadr/windows-11 |
wazuh-manager |
wazuh-agent |
---|---|
rpm | msi-flag1 msi-flag2 |
The proposed tests were carried out successfully, both in packages with the flag IMAGE_TRUST_CHECK flag=1 and IMAGE_TRUST_CHECK flag=2.
Enhacement found for Windows XP and Windows Server 2003 The signature validation log should show the certificate name - Already solved and tested
OS version | Upgrade | Fresh install | Verify Signature dbsync.dll after Upgrade |
Verify Signature dbsync.dll after Fresh install |
---|---|---|---|---|
XP | 🟢 | 🟢 | ⚫ | ⚫ |
Vista | 🟢 | 🟢 | 🟢 | 🟢 |
7 | 🟢 | 🟢 | 🟢 | 🟢 |
8 | 🟢 | 🟢 | 🟢 | 🟢 |
2003 | 🟢 | 🟢 | ⚫ | ⚫ |
2008 | 🟢 | 🟢 | 🟢 | 🟢 |
2012 | 🟢 | 🟢 | 🟢 | 🟢 |
2016 | 🟢 | 🟢 | 🟢 | 🟢 |
2019 | 🟢 | 🟢 | 🟢 | 🟢 |
2022 | 🟢 | 🟢 | 🟢 | 🟢 |
10 | 🟢 | 🟢 | 🟢 | 🟢 |
11 | 🟢 | 🟢 | 🟢 | 🟢 |
:black_circle: It could not verify the signature :green_circle: File signed
Blocked until Windows 2003 error is analyzed by Core
Windows Server 2003: 1- After install the certificate DigiCert High Assurance EV Root CA (package with IMAGE_TRUST_CHECK=2), the log in ossec.log is wrong:
2023/01/09 10:17:54 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe' is not signed or
its signature is invalid.
The log should be:
2023/01/09 13:28:27 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The
specified procedure could not be found.
Hi @BelenValdivia The problem involved in W2003, is that this OS does not support natively SHA256 on this version, and the operating system is not updated (the needed patch have 8 years).
Official patch.
Description
This problem aims to do a complete test both with a package that is signed (all its libraries and the wazuh binary itself) and one that is not.
Both should be functional, but with the characteristic that if the package is signed (dlls and executable), and one of its libraries is not, it causes the main wazuh process to stop.
Proposed checks
Steps to reproduce
echo 1 >> dbsync.dll
Expected results
The main purpose of this is so that malicious code does not reside under the wazuh process.