Wazuh agent package uninstallation protection for Linux

[havidarou]

Description

We need to develop a mechanism to prevent the uninstallation of the Wazuh agent from Linux endpoints. This will enhance security by ensuring that agents are not removed without proper authorization. To achieve this, we will implement a validation process involving the Wazuh manager API.

Functional Requirements

Validation endpoint

• A new Wazuh manager API endpoint named /management_authorization will be created.
• This endpoint will accept an action argument that will be used to validate whether the requesting user permissions contain that action.
• A new action named agent:uninstall will be added to the Wazuh manager API, accompanied by a reserved policy, role, and user.

Uninstallation process

• The uninstallation process will read Wazuh manager API credentials and use them to validate the agent:uninstall action via a request to the /management_authorization endpoint.
• If the validation cannot be accomplished the uninstallation will not proceed.
• A new configuration block for the Wazuh agent named anti_tampering will be added, and inside it a new setting named package_uninstallation.
• The new configuration block can be pushed via remote configuration.
• The package uninstallation validation will only occur if the package_uninstallation is enabled.

Non-Functional Requirements

• Security. Ensure secure communication between the Wazuh agent and the manager API using HTTPS and implement authentication and authorization mechanisms to secure the validation endpoint.

• Reliability. The validation endpoint should be highly available and reliable.

• Performance. The validation process should introduce minimal latency to the uninstallation process.

• Scalability. Ensure the validation endpoint can handle concurrent requests from multiple agents.

Implementation Restrictions

• Compatibility. Ensure the solution is compatible with tier 1 Linux OSs.

• Minimal changes. Minimize changes to the existing Wazuh agent and manager codebase.

Plan

Spike

• Define the API schema for the validation endpoint.
  • Owner: @wazuh/devel-pyserver
  • Teams involved: @wazuh/devel-pyserver
• Design the changes required in the Wazuh agent uninstallation process.
  • Owner: @wazuh/devel-agent
  • Teams involved: @wazuh/devel-agent

MVP implementation

• Implement the validation endpoint in the Wazuh manager API.
  • Owner: @wazuh/devel-pyserver
  • Teams involved: @wazuh/devel-pyserver
• Modify the Wazuh agent uninstallation script/process to integrate with the validation endpoint.
  • Owner: @wazuh/devel-agent
  • Teams involved: @wazuh/devel-agent

Feature complete implementation

• Anti-tampering configuration implementation.
  • Owner: @wazuh/devel-agent
  • Teams involved: @wazuh/devel-agent
• New API endpoint documentation
  • Owner: @wazuh/devel-pyserver
  • Teams involved: @wazuh/devel-pyserver
• New Wazuh agent uninstallation and anti_tampering configuration documentation
  • Owner: @wazuh/devel-agent
  • Teams involved: @wazuh/devel-agent

Acceptance testing

• Test the modified uninstallation process on all tier 1 Linux OSs.
  • Owner: @wazuh/devel-agent
  • Teams involved: @wazuh/devel-agent