Skip to content

Inventory Category - Kernel Modules #808

New issue
New issue
Open
Feature
0 of 1 issue completed
Open
Inventory Category - Kernel Modules#808
Feature
0 of 1 issue completed
Labels
level/epicEpic issuemodule/inventoryInventory moduletype/enhancementEnhancement issue
@cborla

Description

@cborla
cborla
opened on May 26, 2025

Description

This epic tracks the design and implementation of a unified inventory model for Kernel Modules within the Wazuh architecture. The goal is to define a structured, cross-platform data contract to collect and represent kernel-level components across Linux, Windows, and macOS. This includes Linux kernel modules, Windows drivers, and macOS kernel extensions.

The resulting inventory must be normalized and follow an ECS-aligned schema, enabling visibility and auditing of kernel-level components through stateful events that are consistent across platforms.

Functional Requirements

  • Propose and agree on the data model (fields and structure) for:
    • Linux kernel modules
    • Windows drivers
    • macOS kernel extensions
  • Ensure ECS compatibility where applicable, with wazuh.* extensions as needed.
  • Prefer a single index in the Indexer (e.g. wazuh-inventory-kernel-modules) for storing all platform data.

Non-Functional Requirements

  • The schema should support efficient filtering by name, load status, version, and source.
  • Normalize platform-specific attributes while preserving relevant details.
  • Output should be ready for integration into API queries and Dashboard views.

Plan

Indexer

  • Define the document format for kernel module entries:
    • Include a platform or module_type field for Linux/Windows/macOS.
  • Store all records in a single index, enabling unified analysis.

Agent

  • DBSync
    • Model the inventory with a unified table:
      • Accepts records from kernel_modules, drivers, and kernel_extensions.
    • Integrate collection logic into syscollector via extended_sources.

Related Collector Issues

Server

  • Wazuh-DB
    • Use Rsync to synchronize kernel_modules_inventory data.
    • Maintain a schema that supports platform-specific fields within a unified structure.
    • Provide filtering and query capabilities through the API.

Dashboard

  • Define how kernel module data will be visualized:
    • Group by load status (loaded, unloaded, failed).
    • Filter by platform, module name, or version.

Deliverables

  • Define and document the ECS/WCS field set for kernel_modules_inventory.
  • Propose table schema for dbsync (1 table).
  • Define the Wazuh-DB schema and Rsync format for synchronization.
  • Align syscollector outputs with the agreed model.
  • Validate and test the schema on all Tier 1 platforms (Linux, Windows, macOS).

Acceptance Criteria

  • A formal document or JSON schema exists defining the fields and structure for kernel modules.
  • Agent generates inventory data in the agreed format, using syscollector.
  • Wazuh-DB stores and synchronizes the information correctly via Rsync.
  • Indexer receives structured inventory data with correct mappings and searchable fields.
  • Dashboard is capable of querying and visualizing the new kernel module inventory fields.

Sub-issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    level/epicEpic issuemodule/inventoryInventory moduletype/enhancementEnhancement issue

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions