Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Standardize platform Field in Header and Inventory Messages #369

Closed
Tracked by #241
vikman90 opened this issue Nov 29, 2024 · 2 comments · Fixed by #373
Closed
Tracked by #241

Standardize platform Field in Header and Inventory Messages #369

vikman90 opened this issue Nov 29, 2024 · 2 comments · Fixed by #373
Assignees
Labels
level/task Task issue module/inventory Inventory module mvp Minimum Viable Product refinement type/change Change performed in a resource or Wazuh Cloud environment

Comments

@vikman90
Copy link
Member

Parent Issue: #241

Description

In system inventory messages, the platform field has inconsistent values between the inventory payload and the message header.

Example of a stateful system inventory request:

{
  "agent": {
    "groups": [],
    "host": {
      "architecture": "x86_64",
      "hostname": "Rocket",
      "ip": ["172.28.54.98", "fe80::215:5dff:feb2:9368"],
      "os": {
        "name": "Ubuntu",
        "platform": "Linux",
        "version": "24.04.1 LTS (Noble Numbat)"
      }
    },
    "id": "0c9fd1e7-7cb6-4f98-b8fa-49a714905db4",
    "name": "dummy",
    "type": "Endpoint",
    "version": "5.0.0"
  }
}

{
  "id": "aW52ZW50b3J5OnN5c3RlbTpVYnVudHU=",
  "module": "inventory",
  "operation": "create",
  "type": "system"
}

{
  "@timestamp": "2024/11/29 12:46:17",
  "host": {
    "architecture": "x86_64",
    "hostname": "Rocket",
    "os": {
      "full": "noble",
      "kernel": "",
      "name": "Ubuntu",
      "platform": "ubuntu",
      "type": "Linux",
      "version": "24.04.1 LTS (Noble Numbat)"
    }
  }
}
  • The header contains:
    "platform": "Linux"
  • The inventory payload contains:
    "platform": "ubuntu"

This inconsistency creates confusion and may lead to compatibility issues, particularly with components such as Vulnerability Detector, which rely on these fields.

Expected Behavior

  • Ensure the platform field is consistent across both the header and the inventory payload.
  • Determine whether the value should be:
    1. "Linux" (current header value).
    2. "ubuntu" (current inventory value).
  • These changes must be compliant with ECS.

Proposed Solution

  1. Synchronize with @wazuh/devel-cppserver to decide on the appropriate value for the platform field.
    • If "Linux" is preferred, update the inventory payload accordingly.
    • If "ubuntu" is preferred, update the header field and rename it to avoid breaking compatibility (e.g., platform_distribution).
  2. Ensure the change is backward-compatible with existing integrations, particularly Vulnerability Detector.
  3. Document the final decision and its rationale in both developer and user documentation to avoid future misunderstandings.
@vikman90 vikman90 added level/task Task issue type/change Change performed in a resource or Wazuh Cloud environment module/inventory Inventory module mvp Minimum Viable Product refinement labels Nov 29, 2024
@wazuhci wazuhci moved this to Backlog in Release 5.0.0 Nov 29, 2024
@cborla cborla self-assigned this Nov 29, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 5.0.0 Nov 29, 2024
@cborla
Copy link
Member

cborla commented Nov 29, 2024

Analysis

When completing the system table, the indexer documentation was used as a reference.

Where it defines the field host.os.platform as following:

Field name Data type Description Example
host.os.name keyword Operating system name, without the version. Mac OS X
host.os.platform keyword Operating system platform (such centos, ubuntu, windows). darwin
host.os.type keyword [linux, macos, unix, windows, ios, android] macos
host.os.version keyword Operating system version as a raw string. 10.14.1

Proposal

I think another possible option is to use the type field in the header instead of the platform field, that way we maintain compatibility with the documentation and system table, the update would be in the header.

{
  "agent": {
    "groups": [],
    "host": {
      "architecture": "x86_64",
      "hostname": "Rocket",
      "ip": ["172.28.54.98", "fe80::215:5dff:feb2:9368"],
      "os": {
        "name": "Ubuntu",
        "type": "Linux",
        "version": "24.04.1 LTS (Noble Numbat)"
      }
    },
    "id": "0c9fd1e7-7cb6-4f98-b8fa-49a714905db4",
    "name": "dummy",
    "type": "Endpoint",
    "version": "5.0.0"
  }
}

@vikman90
Copy link
Member Author

vikman90 commented Dec 2, 2024

Thank you @cborla.

Let's sync with @wazuh/devel-pyserver to merge both PRs together:

@wazuhci wazuhci moved this from In review to Blocked in Release 5.0.0 Dec 2, 2024
@wazuhci wazuhci moved this from Blocked to Done in Release 5.0.0 Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
level/task Task issue module/inventory Inventory module mvp Minimum Viable Product refinement type/change Change performed in a resource or Wazuh Cloud environment
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

2 participants