Wazuh agent package uninstallation protection for Linux #23466
Labels
level/objective
module/install
Issue related to the installation process
type/enhancement
New feature or request
Description
We need to develop a mechanism to prevent the uninstallation of the Wazuh agent from Linux endpoints. This will enhance security by ensuring that agents are not removed without proper authorization. To achieve this, we will implement a validation process involving the Wazuh manager API.
Functional Requirements
Validation endpoint
/management_authorization
will be created.action
argument that will be used to validate whether the requesting user permissions contain that action.agent:uninstall
will be added to the Wazuh manager API, accompanied by a reserved policy, role, and user.Uninstallation process
agent:uninstall
action via a request to the/management_authorization
endpoint.anti_tampering
will be added, and inside it a new setting namedpackage_uninstallation
.package_uninstallation
is enabled.Non-Functional Requirements
Security. Ensure secure communication between the Wazuh agent and the manager API using HTTPS and implement authentication and authorization mechanisms to secure the validation endpoint.
Reliability. The validation endpoint should be highly available and reliable.
Performance. The validation process should introduce minimal latency to the uninstallation process.
Scalability. Ensure the validation endpoint can handle concurrent requests from multiple agents.
Implementation Restrictions
Compatibility. Ensure the solution is compatible with tier 1 Linux OSs.
Minimal changes. Minimize changes to the existing Wazuh agent and manager codebase.
Plan
Spike
MVP implementation
Feature complete implementation
anti_tampering
configuration documentationAcceptance testing
The text was updated successfully, but these errors were encountered: