Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Stateless Messages to Inventory Module Indicating Detected Deltas #437

Open
4 tasks
Tracked by #241
vikman90 opened this issue Dec 17, 2024 · 4 comments · May be fixed by #454
Open
4 tasks
Tracked by #241

Add Stateless Messages to Inventory Module Indicating Detected Deltas #437

vikman90 opened this issue Dec 17, 2024 · 4 comments · May be fixed by #454
Assignees
@ncvicchi @nbertoldo
Labels
level/task Task issue module/inventory Inventory module mvp Minimum Viable Product refinement type/enhancement Enhancement issue

Comments

@vikman90
Copy link
Member

Description

The Inventory module must produce a stateless message containing the deltas (changes) detected during an inventory scan. These messages will accompany the stateful messages, ensuring that both event types provide relevant information about detected changes.

Requirements

  1. Stateless Message Generation
    • The Inventory module must generate a stateless message when a delta (change) is detected.
    • Stateless messages should only be produced after the initial scan has completed.
    • These messages must be generated alongside the stateful messages.
  2. ECS Compliance
    • Both stateless and stateful messages must conform to the ECS (Elastic Common Schema) format.
  3. Delta Representation
    • Stateless messages should clearly indicate the delta or change detected during the scan process.

Acceptance Criteria

  • Stateless messages are generated when changes are detected, excluding the initial scan.
  • Stateless messages accompany the corresponding stateful messages.
  • Messages follow ECS standards.
  • Deltas are accurately represented in the stateless message.
@vikman90 vikman90 added level/task Task issue module/inventory Inventory module mvp Minimum Viable Product refinement type/enhancement Enhancement issue labels Dec 17, 2024
@vikman90 vikman90 mentioned this issue Dec 17, 2024
Open
53 tasks
@wazuhci wazuhci moved this to Backlog in Release 5.0.0 Dec 17, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 5.0.0 Dec 17, 2024
@ncvicchi ncvicchi linked a pull request Dec 19, 2024 that will close this issue
Draft
28 tasks
@cborla cborla linked a pull request Jan 3, 2025 that will close this issue
Add Stateless Messages to Inventory Module Indicating Detected Deltas #454
Draft
28 tasks
@cborla
Copy link
Member

cborla commented Jan 3, 2025
edited
Loading

Work update

2025/01/03

  • Rebased the branch to master.
  • Code review.
  • E2E testing.

2025/01/08

  • Unit test fixed.
  • Analyzing the new message structure similar to FIM.

2025/01/10

  • Stateless event section construction.
    • Hardware
    • Ports
    • Packages
    • Include state differences in the json
  • First Scan code analysis.

2025/01/13

  • Added previous value structrue.
  • Working on prepara stataless json objet to send.

@ncvicchi
Copy link
Contributor

2025/01/09

  • Implemented first scan detection logic
  • Implemented writemetadata, readmetada and deletemetada functions
  • Performed logic behaviour tests with several scenarios

@ncvicchi
Copy link
Contributor

Database first scan flags reflection in metadata table:

All options enabled:

Key Value
hardware-first-scan 2025-01-10T15:40:56.879Z
hotfixes-first-scan 2025-01-10T15:41:02.217Z
networks-first-scan 2025-01-10T15:41:02.394Z
packages-first-scan 2025-01-10T15:41:01.051Z
ports-first-scan 2025-01-10T15:41:02.378Z
processes-first-scan 2025-01-10T15:41:02.217Z
system-first-scan 2025-01-10T15:40:56.883Z

networks and packages disabled

Key Value
hardware-first-scan 2025-01-10T15:40:56.879Z
hotfixes-first-scan 2025-01-10T15:41:02.217Z
ports-first-scan 2025-01-10T15:41:02.378Z
processes-first-scan 2025-01-10T15:41:02.217Z
system-first-scan 2025-01-10T15:40:56.883Z

Intentory module disabled

Key Value

Inventory module reenabled:

Key Value
hardware-first-scan 2025-01-10T15:47:42.625Z
hotfixes-first-scan 2025-01-10T15:47:43.829Z
ports-first-scan 2025-01-10T15:47:44.141Z
processes-first-scan 2025-01-10T15:47:43.829Z
system-first-scan 2025-01-10T15:47:42.628Z

networks y packages reenabled:

Key Value
hardware-first-scan 2025-01-10T15:47:42.625Z
hotfixes-first-scan 2025-01-10T15:47:43.829Z
networks-first-scan 2025-01-10T15:49:08.714Z
packages-first-scan 2025-01-10T15:49:07.622Z
ports-first-scan 2025-01-10T15:47:44.141Z
processes-first-scan 2025-01-10T15:47:43.829Z
system-first-scan 2025-01-10T15:47:42.628Z

@nbertoldo nbertoldo self-assigned this Jan 13, 2025
@nbertoldo
Copy link
Member

nbertoldo commented Jan 13, 2025
edited
Loading

Work update

2025/01/13

  • Enable return_old_data option to add previous data in the inventory delta events.
  • We should avoid storing null fields in the dbsync database, since every scan reports a change. This is because when reading the table it gets “” instead of null.

2025/01/14

  • Remove false deltas caused by storing null values in the inventory tables.
  • Fix unit tests.
  • Analysis of how to update metadata table without starting the whole inventory module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ncvicchi ncvicchi

@nbertoldo nbertoldo

Labels
level/task Task issue module/inventory Inventory module mvp Minimum Viable Product refinement type/enhancement Enhancement issue
Projects
Release 5.0.0
Status: In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Stateless Messages to Inventory Module Indicating Detected Deltas wazuh/wazuh-agent
4 participants
@vikman90 @cborla @ncvicchi @nbertoldo